Ccda Desgn v2.0 SG PPT To PDF

www.CareerCert.
info
Designing for Cisco Internetwork Solutions (DESGN) v2.0
2007 Cisco Systems, Inc. All rights reserved.
DESGN v2.0-1
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual self-study.
www.CareerCert.info
Course Introduction
Designing for Cisco Internetwork Solutions v2.0
DESGN v2.0-2
www.CareerCert.info
Learner Skills and Knowledge

Prerequisite skills and knowledge Cisco CCNA certification Recommended training Introduction to Cisco Network Technologies Recommended training Interconnecting Cisco Network Devices Building Cisco Multilayer Switched Networks level knowledge of wireless and QoS topics Recommended training Building Cisco Multilayer Switched Networks Practical experience with deploying and operating networks based on Cisco network devices and Cisco IOS Software
DESGN v2.0-3
www.CareerCert.info
Course Goal
To enable learners to gather customer internetworking
requirements, identify solutions, and design the network infrastructure and services to ensure the basic functionality of the proposed solutions
Designing for Cisco Internetwork Solutions v2.0
DESGN v2.0-4
www.CareerCert.info
Course Flow
Day 1
Course Introduction
Day 2
Day 3
Day 4
Day 5
Implementing and Operating the Network
A M
Applying a Methodology to Network Design
Designing Basic Campus and Data Center Networks
Designing IP Addressing and Selecting Routing Protocols
Identifying Voice Networking Considerations
Final Case Study
Lunch
Final Case Study
P M
Structuring and Modularizing the Network
Designing Remote Connectivity
Evaluating Security Identifying Wireless Networking Solutions for the Considerations Network
DESGN v2.0-5
www.CareerCert.info
Cisco Icons and Symbols
DESGN v2.0-6
www.CareerCert.info
Cisco Icons and Symbols (Cont.)
DESGN v2.0-7
www.CareerCert.info
Cisco Certifications
DESGN v2.0-8
www.CareerCert.info
Cisco Career Certifications

DESGNCertification for associate-level recognition in network design
CCDE
Expert
Required Exam
640-863 DESGN
Recommended Training Through Cisco Learning Partners

Designing for Cisco Internetwork Solutions Building Cisco Multilayer Switched Networks
CCDP
Professional
CCDA
Associate
640-801 CCNA
Interconnecting Cisco Network Devices Introduction to Cisco Network Technologies
http://www.cisco.com/go/certifications
DESGN v2.0-9
www.CareerCert.info
DESGN v2.0-10
www.CareerCert.info
DESGN v2.01-1
www.CareerCert.info
Introducing the Cisco Service-Oriented Network Architecture
DESGN v2.01-1
www.CareerCert.info
Growth of Applications
Business Intelligence Telephony EDI Partners Compression Custom Protocol Web Service Mobile Services
Business-toASP Business Links
Business Rules
Field Organizations Message Broker Data Center Transformation .Net ESB Database Lookup
Branch Offices
Business-toBusiness Gateway
Load Balancing Extranet
Distribution Security
Standards
MQ Series
J2EE
Legacy Applications
EAI
Compliance Logging
Event Capture
Remote Environments
Adapters
RFID
DESGN v2.01-2
www.CareerCert.info
IT Evolution From Connectivity to Intelligent Systems
DESGN v2.01-3
www.CareerCert.info
New Business Requirements
DESGN v2.01-4
www.CareerCert.info
Intelligence in the Network
DESGN v2.01-5
www.CareerCert.info
Cisco Service-Oriented Network Architecture Framework

SONA is an architectural framework. SONA brings several advantages to enterprises: Outlines how enterprises can evolve toward a more intelligent network Illustrates how to build integrated systems across a fully converged intelligent infrastructure Improves flexibility and increases efficiency
DESGN v2.01-6
www.CareerCert.info
Cisco SONA Layers
DESGN v2.01-7
www.CareerCert.info
Overview of Cisco SONA Offerings
DESGN v2.01-8
www.CareerCert.info
Benefits of SONA
Description Functionality Scalability Availability Performance Manageability Efficiency Supports organizational requirements Supports growth and expansion of organizational tasks Provides necessary services reliably, anywhere, anytime Provides responsiveness, throughput, and utilization on a per-application basis Provides control, performance monitoring, and fault detection Provides network services with reasonable operational costs and appropriate capital investment
DESGN v2.01-9
www.CareerCert.info
Summary
Drivers for a new network architecture include these factors: Growth of applications IT evolution from connectivity to intelligent systems Increased business expectations for networks Ciscos vision of intelligence in the network aligns network and business requirements in three phases: Phase 1 is integrated transport. Phase 2 is integrated services. Phase 3 is integrated applications. Cisco SONA is the enterprise framework for building intelligence in the network: Layer 1 is the integrated infrastructure layer. Layer 2 is the interactive services layer. Layer 3 is the application layer.
2007 Cisco Systems, Inc. All rights reserved. DESGN v2.01-10
www.CareerCert.info
DESGN v2.01-11
www.CareerCert.info
Identifying Design Requirements
DESGN v2.01-1
www.CareerCert.info
PPDIOO Network Life-Cycle Approach
DESGN v2.01-2
www.CareerCert.info
Benefits of the Life-Cycle Approach
DESGN v2.01-3
www.CareerCert.info
Design Methodology Under PPDIOO

Three steps in the design methodology:
1. Identify the customer requirements. 2. Characterize the existing network and sites. 3. Design the topology and network solutions.
DESGN v2.01-4
www.CareerCert.info
Identifying Customer Requirements
DESGN v2.01-5
www.CareerCert.info
Identifying Planned Applications

Application Type Application Criticality (Critical/Important/ Unimportant) Comments
E-mail Groupware Web browsing Video on demand Database Customer support
DESGN v2.01-6
www.CareerCert.info
Example: Planned Applications

Application Type Application Criticality (critical/important/ unimportant) Important We need to be able to share presentations and applications during remote meetings. Comments
E-mail
Microsoft Outlook Cisco Unified MeetingPlace Microsoft Internet Explorer, Opera, Netscape IP/TV Oracle Customer applications
Groupware
Important
Web browsing
Important
Video on demand Database Customer support

Critical Critical Critical

DESGN v2.01-7
All data storage will be based on Oracle.
www.CareerCert.info
Identifying Planned Infrastructure Services

Service Security QoS Network management High availability IP telephony Mobility Comments
DESGN v2.01-8
www.CareerCert.info
Example: Planned Infrastructure Services

Service Security QoS Network management High availability IP telephony Mobility Comments Deploy security systematically, including firewalls, intrusion detection systems (IOSs), and access control lists (ACLs) Give priority to delay-sensitive voice traffic and other important traffic Use centralized management tools where appropriate and point product management as required Eliminate single points of failure and use redundant paths as needed Want to migrate company from regular telephony Need client laptop guest access along with mobility of employee PCs
DESGN v2.01-9
www.CareerCert.info
Identifying Organizational Goals

Organizational Goal Increase competitiveness Reduce costs Improve customer support Add new customer services Gathered Data List competitive organizations and their abilities List current expenses List current customer support List current customer services Comments Point out possibilities to increase competitiveness Point out cost-reduction possibilities Point out possible steps to improve customer support List future desired services
DESGN v2.01-10
www.CareerCert.info
Example: Organizational Goals

Organizational Goal Increase competitiveness Gathered Data (Existing Situation) Corporation Y, Corporation Z Enter data multiple times; time-consuming tasks Order tracking and technical support supported by individuals Telephone and fax orders; telephone and fax confirmation Comments Better products Reduce costs Single data-entry point Easy-to-learn application Simple data exchange Web-based order tracking Web-based customer technical support tools Secure web-based ordering Secure web-based confirmations
Reduce costs
Improve customer support
Add new customer services
DESGN v2.01-11
www.CareerCert.info
Assessing Organizational Constraints

Organizational Constraint Gathered Data Comments Identify the amount of money the organization is willing to spend Specify the number of network engineers who have to attend the additional training Determine if the organization is willing to buy equipment from new vendor Use tools for resource assignment, milestones, criticalpath analysis
Budget
Amount of money to spend
Personnel
List available personnel and their expertise List preferred standards, protocols, vendors, applications
Policy
Scheduling
Specify time frame
DESGN v2.01-12
www.CareerCert.info
Example: Organizational Constraints

Organizational Constraint Budget Gathered Data (Existing Situation) $650,000 Engineers with Cisco CCNA certificates and Cisco CCNP certificates Prefers single vendor and standardized protocols Plans to introduce new applications in the next nine months Comments Budget can be extended by maximum $78,000 Plans to hire new engineers in the network department; need technical development plan Current equipmentCisco; prefers to stay with it New applications include video conferencing, groupware, and IP telephony
Personnel
Policy
Scheduling
DESGN v2.01-13
www.CareerCert.info
Identifying Technical Goals

Technical Goals Responsiveness and throughput Availability Manageability Security Adaptability Scalability Total
Importance
Comments
100
DESGN v2.01-14
www.CareerCert.info
Example: Technical Goals

Technical Goals Performance Availability Manageability Security Adaptability Scalability Total
Importance 20 25 5 15 10 25 100
Comments Important of the central site, less important in branch offices Should be 99.9 percent
Security for critical data transactions is extremely important
Scalability is critical
DESGN v2.01-15
www.CareerCert.info
Example: Technical Constraints

Technical Constraints Gathered Data Comments Replace existing coaxial cabling. Use twisted-pair to desktop and fiber optics for uplinks and in the backbone. Upgrade speeds; consider another service provider with additional services to offer. Make sure new network equipment supports IPv6.
Existing wiring
Coaxial cabling
Bandwidth availability
64-kbps WAN links
Application compatibility
IPv6 based applications
DESGN v2.01-16
www.CareerCert.info
Summary
The PPDIOO approach reflects the life cycle phases of a standard network. The design methodology under PPDIOO includes these processes: Identifying customer requirements Characterizing the existing network and sites Designing the network topology and solutions Key steps in identifying customer requirements include these: Identifying network applications and services Defining organizational goals and constraints Defining technical goals and constraints
DESGN v2.01-17
www.CareerCert.info
DESGN v2.01-18
www.CareerCert.info
Characterizing the Existing Network and Sites
DESGN v2.01-1
www.CareerCert.info
Characterizing the Existing Network and Sites

Gather documentation and query the organization. Perform a site and network assessment to help detail the network. Consider performing traffic analysis on the existing network and applications.
DESGN v2.01-2
www.CareerCert.info
Identifying Major Features of the Network

Collect the information about the planned and existing network infrastructure: Site contact information Network topology such as network devices, physical and logical links, external connections, encapsulations, bandwidths, IP addressing, routing protocols Network services such as security, QoS, high availability, IP telephony, storage, and wireless Network applications such as unified communications and video delivery Collect the information about expected network functionality. Identify network modules based on the given information.
DESGN v2.01-3
www.CareerCert.info
Sample Site Contact Questions

What is the site location or name? What is the site address? What is the shipping address? Who is the site contact? Is this site owned and maintained by the customer? Is this a staffed site? What are the hours of operation? What are the building or room access procedures? Are there any special security or safety procedures? Are there any union or labor requirements or procedures? What are the locations of the equipment cabinets and racks?
DESGN v2.01-4
www.CareerCert.info
Example: Customer Network Diagram
DESGN v2.01-5
www.CareerCert.info
Network Assessment Information Sources
DESGN v2.01-6
www.CareerCert.info
Example: Network Assessment
DESGN v2.01-7
www.CareerCert.info
Network Assessment Tools

Manual assessment: Use monitoring commands on network devices on small networks. Use scripting tools to collect information on large networks. Use existing management and auditing tools: CiscoWorks Third-party tools such as WhatsUp Gold, Castle Rock SNMPc, open source Cacti, Netcordia NetMRI, and NetQoS NetVoyant Use other tools to collect relevant information for the network devices: Third-party tools such as Network General Sniffer, AirMagnet software and devices, and WildPackets AiroPeek
DESGN v2.01-8
www.CareerCert.info
Commands for Manual Information Collection
DESGN v2.01-9
www.CareerCert.info
Example: Manual Information CollectionRouter CPU Utilization
DESGN v2.01-10
www.CareerCert.info
Example: Manual Information CollectionRouter Memory Utilization
DESGN v2.01-11
www.CareerCert.info
Example: Automatic Information CollectionCacti Device List
DESGN v2.01-12
www.CareerCert.info
Example: Automatic Information CollectionNetMRI Inventory
DESGN v2.01-13
www.CareerCert.info
Network Traffic Analysis

Use organizational input to identify the applications used in the existing network and their relative importance. Perform a traffic analysis to reveal additional applications used in the network. Use the results and organizational input to define QoS and security-related requirements for discovered applications.
DESGN v2.01-14
www.CareerCert.info
Steps in Analyzing Network Traffic
DESGN v2.01-15
www.CareerCert.info
Example: Traffic Analysis

Application No. 8:
Description: Protocol: Servers: Clients: Scope: Importance: Average rate: Mbps Accounting software TCP port 5151 2 50 Campus High 50 kbps with 10-second bursts to 1
DESGN v2.01-16
www.CareerCert.info
Network Analysis Tools

Cisco IOS Software analysis capabilities: NBAR NetFlow Cisco software-based network analyzers: Cisco CNS NetFlow Collection Engine Third-party tools, such as: Open source Cacti Network General Sniffer WildPackets EtherPeek and AiroPeek SolarWinds Orion Wireshark RMON probes
www.CareerCert.info
Example: NBAR Printout
DESGN v2.01-18
www.CareerCert.info
Example: Cisco IOS NetFlow Printout
DESGN v2.01-19
www.CareerCert.info
Example: Cacti Graph
DESGN v2.01-20
www.CareerCert.info
Example: Solarwinds Orion
DESGN v2.01-21
www.CareerCert.info
Summary Report
Characterization of the existing network results in a summary report that is used to:
Describe the software features required in the network Describe possible problems in the existing network Identify the actions needed to prepare the network for the implementation of the required features Influence the customer requirements
DESGN v2.01-22
www.CareerCert.info
Example: Equipment Summary Report

The network uses 895 routers:
655 routers use Cisco IOS Software Release 12.2(10). 240 routers use an older Cisco IOS Software version.
DESGN v2.01-23
www.CareerCert.info
Example: Summary Report Problem Statement

Requirement: Queuing in the WAN Identified problem: Existing Cisco IOS Software version does not support new queuing technologies. 15 out of 19 routers with older Cisco IOS Software are in the WAN. 12 out of 15 routers do not have enough memory to upgrade to Cisco IOS Software Release 12.3 or later. 5 out of 15 routers do not have enough flash memory to upgrade to Cisco IOS Software Release 12.3 or later.
DESGN v2.01-24
www.CareerCert.info
Example: Summary Report Recommendations

Recommended action: 12 memory upgrades to 64 MB 5 flash memory upgrades to 16 MB Options: Replace hardware and software to support queuing. Find an alternative mechanism for that part of the network. Find an alternative mechanism and use it instead of queuing. Evaluate the consequences of not implementing the required feature in that part of the network.
DESGN v2.01-25
www.CareerCert.info
Documenting an Existing Network
DESGN v2.01-26
www.CareerCert.info
Network Characterization Hour Estimates

Small Network
120 Switches/Routers a) Interview management team b) Interview network team c) Review documentation d) Set up network discovery tool e) Resolve SNMP access and similar problems f) Allow tools to gather data g) Analyze captured data h) Prepare high level Layer 3 diagrams i) Prepare report stating conclusions j) Incrementally prepare network diagrams Estimated manpower in hours 4448 8698 132180 288384 4 4 16 8 4 16 16 4 32 16 8 32 24 8 48 24 16 48 40 16 80 40 32 80 4 4 4 4 4 4 4 4 4 4
Medium Network
20200 Switches/Routers 8 6 6 6 8 8 6 6 6 16
Large Network
200800 Switches/Routers 12 8 8 8 16 12 12 12 8 48
Huge Network
>800 Switches/Routers 16 24 16 16 80 16 24 16 16 160
DESGN v2.01-27
www.CareerCert.info
Summary
Characterizing an existing network entails gathering as much information about the network as possible. Organization input, a network audit, and traffic analysis provide the key information that you need. Identifying major features of the network involves gathering network documentation and querying the organization. The auditing process adds detail to the initial network documentation that you created from existing documentation and customer input. You can manually audit a small network, but you typically need automated tools to audit a large network. Traffic analysis verifies the set of applications and protocols used in the network and determines the traffic patterns of the applications.
www.CareerCert.info
Summary (Cont.)
Tools used for traffic analysis range from manual identification of applications using Cisco IOS Software commands in combination with NBAR or NetFlow to those where dedicated software- or hardware-based analyzers capture live packets or SNMP data. The result of the network characterization is a summary report describing the health of the network.
DESGN v2.01-29
www.CareerCert.info
DESGN v2.01-30
www.CareerCert.info
Using the Top-Down Approach to Network Design
DESGN v2.01-1
www.CareerCert.info
Top-Down Design Practices

Start your design here.
Design down the OSI model.
DESGN v2.01-2
www.CareerCert.info
Top-Down and Bottom-Up Approach Comparison

Top-Down Approach Incorporates organizational requirements Gives the big picture to organization and designer Bottom-Up Approach Allows a quick response to a design request Facilitates design based on previous experience Implements little or no notion of actual organizational requirements May result in inappropriate network design
Benefits
Disadvantages
Incorporates organizational requirements
DESGN v2.01-3
www.CareerCert.info
Example: Top-Down Voice Design
DESGN v2.01-4
www.CareerCert.info
Creating a Network Decision Table

Decide which network layer requires decisions. Gather possible options for a given situation. Create a table that includes possible options and given requirements. Match given requirements with specific properties of given options. Select the option with the most matches as the most appropriate one.
DESGN v2.01-5
www.CareerCert.info
Example: Selecting a Routing Protocol

Options Required Network Parameters Large Yes Yes Yes Good
Parameters Size of Network (Small/Medium/Large/Very Large) Enterprise-Focused (Yes/No) Use of VLSM (Yes/No) Supports Cisco Routers (Yes/No) Network Support Staff Knowledge (Good/Fair/Poor)
EIGRP
OSPF
BGP
Large Yes Yes Yes Good
Large Yes Yes Yes Fair
Very Large No Yes Yes Poor
DESGN v2.01-6
www.CareerCert.info
Assessing the Scope of the Network Design Process

Scope of Design Entire network Comments All branch office LANs upgraded to support Fast Ethernet technology Redundant equipment and links Addition of wireless client mobility Solutions to overcome bottlenecks
Campus
WAN
DESGN v2.01-7
www.CareerCert.info
Example: Assessing the Scope of the Network Design Process

ApplicationDesigning voice transport NetworkDesigning routing, addressing Physical, data linkChoosing connection type
DESGN v2.01-8
www.CareerCert.info
Structured Design Principles
DESGN v2.01-9
www.CareerCert.info
Cisco SONA Offerings
DESGN v2.01-10
www.CareerCert.info
Network Design Tools
DESGN v2.01-11
www.CareerCert.info
Planning an Implementation
If a design is composed of multiple complex components: Implement each component separately; do not implement everything at once. Incremental implementation: Reduces troubleshooting in case of failure Reduces time needed to revert to previous state in case of failure
DESGN v2.01-12
www.CareerCert.info
Major Implementation Components

Each step should contain the following information:
Description Reference to design sections Detailed implementation guidelines Detailed roll-back guidelines in case of failure Estimated time for implementation
DESGN v2.01-13
www.CareerCert.info
Example: Summary Implementation Plan

Date, Time
Phase 3 Step 1 Step 2 Step 3 Step 4 Phase 4 Step 1 Step 2 Step 3 Step 4 Phase 5 Step 1 Step 2 04/05/2007 04/03/2007 04/02/2007
Description
Install campus hardware Connect switches Install routers Complete cabling Verify data link layer Configure campus hardware Configure VLANs Configure IP addressing Configure routing Verify connectivity Launch campus updates into production Complete connections to existing network Verify connectivity
Implementation Details
Section 6.2.3 Section 6.2.3.1 Section 6.2.3.2 Section 6.2.3.3 Section 6.2.3.4 Section 6.2.4 Section 6.2.4.1 Section 6.2.4.2 Section 6.2.4.3 Section 6.2.4.4 Section 6.2.5 Section 6.2.5.1 Section 6.2.5.2
Complete
DESGN v2.01-14
www.CareerCert.info
Example: Detailed Implementation Plan

Section 6.2.7.3, Configure routing protocols in the WAN network module:
Number of routers involved is 50. Use template from section 4.3.1, EIGRP details. Per router configuration: Use passive-interface command on all nonbackbone LANs. (See section 4.2.3, EIGRP details.) Use summarization according to the design. (See section 4.2.3, EIGRP details, and section 4.2.2, Addressing details.) Estimated time is 10 minutes per router. Roll-back procedure is not required.
DESGN v2.01-15
www.CareerCert.info
Pilot vs. Prototype Networks

The pilot or prototype network is used as proof of concept for the design: A pilot network tests and verifies the design before the network is launched. A prototype network tests and verifies a redesign in an isolated network before it is applied to the existing network. Results: Success Failure
DESGN v2.01-16
www.CareerCert.info
Example: Prototype Network
DESGN v2.01-17
www.CareerCert.info
Detailed Structure of a Design Document
DESGN v2.01-18
www.CareerCert.info
Summary
Designing an enterprise network is a complex project. Top-down design facilitates the process by dividing it into smaller, more manageable steps. Decision tables facilitate the selection of the most appropriate option from many possibilities. In assessing the scope of a network design, determine whether the design is for a new network or is a modification of the entire network, a single segment or module, a set of LANs, a WAN, or a remote-access network. The output of the design should be a model of the complete system. To achieve this, the top-down approach is highly recommended.
DESGN v2.01-19
www.CareerCert.info
Summary (Cont.)
When the design is complete, you are ready to document the implementation and migration in as much detail as possible. After a design is complete, you should verify it. You can test the design in an existing or live network (pilot) or in a prototype network that will not affect the existing network. A design document lists the design requirements, documents the existing network, documents the network design, identifies the proof-of-concept strategy, and details an implementation plan.
DESGN v2.01-20
www.CareerCert.info
DESGN v2.01-21
www.CareerCert.info
Module Summary
Cisco SONA is the enterprise framework for implementing intelligent networks and maps business requirements to network requirements. The design methodology under PPDIOO includes these tasks: Identifying customer requirements Characterizing the existing network and sites Designing the network topology and solutions The result of network characterization is a summary report describing the health of the network. Top-down design facilitates network design.
DESGN v2.01-1
www.CareerCert.info
DESGN v2.01-2
www.CareerCert.info
DESGN v2.02-1
www.CareerCert.info
Designing the Network Hierarchy
DESGN v2.02-1
www.CareerCert.info
Layers in the Hierarchical Model
DESGN v2.02-2
www.CareerCert.info
Example: Hierarchical Network
DESGN v2.02-3
www.CareerCert.info
Access Layer
Concentration point at which clients access the network Layer 2 switching in the access layer: Defines a single broadcast domain Multilayer switching in the campus access layer: Optimally satisfies the needs of a particular user through routing, filtering, authentication, security, or quality of service Multilayer switching in the WAN access layer: Helps control WAN costs using dial-on-demand routing (DDR) and static routing
DESGN v2.02-4
www.CareerCert.info
Example: Access Layer Connectivity in the Campus LAN
Workstations are attached to VLANs with Layer 2 switches. Recommended practice: Implement one VLAN (IP subnet) per access switch. Access switches connect Layer 3 links (if only one VLAN per access switch) or via VLAN trunk. If needed, distribution routers route between VLANs.
www.CareerCert.info
Distribution Layer
Provides multilayer switching between access and core layers:
Provides media transitions Aggregates bandwidth by concentrating multiple low-speed access links into a high-speed core link Determines department or workgroup access Provides redundant connections for access devices
Implements policy-based decisions:

Filtering by source or destination address Filtering on input or output ports Hiding internal network numbers by route filtering Static routing Security Quality of service mechanisms
DESGN v2.02-6
www.CareerCert.info
Example: Distribution Layer in the Routed Campus Network
DESGN v2.02-7
www.CareerCert.info
Core Layer
The function of the core layer is to provide fast and efficent data transport that:
Forms a high-speed backbone with fast transport services Provides redundancy and fault tolerance Offers good manageability
Note: Core layer should avoid packet manipulation for filtering or access list checking.
DESGN v2.02-8
www.CareerCert.info
Example: Multilayer Switching in the Campus Core
DESGN v2.02-9
www.CareerCert.info
Example: Routing in the WAN Network
DESGN v2.02-10
www.CareerCert.info
Summary
The hierarchical network model provides a modular view of a network, making it easier to design and build a network. The purpose of the access layer is to grant end-user access to network resources. The distribution layer provides aggregation for the access layer devices and uplinks to the core layer. It is also used to enforce policy within the network. The core layer provides a high-speed, highly available backbone designed to switch packets as fast as possible.
DESGN v2.02-11
www.CareerCert.info
DESGN v2.02-12
www.CareerCert.info
Using a Modular Approach in Network Design
DESGN v2.02-1
www.CareerCert.info
Service-Oriented Network Architecture
DESGN v2.02-2
www.CareerCert.info
Example: Cisco Enterprise Campus Architecture
DESGN v2.02-3
www.CareerCert.info
Cisco Enterprise Architecture
DESGN v2.02-4
www.CareerCert.info
Example: Dividing the Network into Areas
DESGN v2.02-5
www.CareerCert.info
Enterprise Campus Infrastructure Module
DESGN v2.02-6
www.CareerCert.info
Building Access Layer
DESGN v2.02-7
www.CareerCert.info
Building Distribution Layer
DESGN v2.02-8
www.CareerCert.info
Campus Core Layer
DESGN v2.02-9
www.CareerCert.info
Server Farm Module
DESGN v2.02-10
www.CareerCert.info
Enterprise Edge Modules
DESGN v2.02-11
www.CareerCert.info
E-Commerce Module
DESGN v2.02-12
www.CareerCert.info
Internet Connectivity Module
DESGN v2.02-13
www.CareerCert.info
Remote Access and VPN Module
DESGN v2.02-14
www.CareerCert.info
WAN and MAN and Site-to-Site VPN Module
DESGN v2.02-15
www.CareerCert.info
Enterprise Edge Guidelines

1. Determine the connectivity needed to the Internet. 2. Create the e-commerce module ID needed. 3. Design the remote access and VPN module if needed. 4. Design the WAN module to support connections to remote enterprise locations if needed.
DESGN v2.02-16
www.CareerCert.info
Service Provider Modules
DESGN v2.02-17
www.CareerCert.info
Enterprise Remote Modules
DESGN v2.02-18
www.CareerCert.info
Enterprise Branch Module
DESGN v2.02-19
www.CareerCert.info
Enterprise Data Center Module
DESGN v2.02-20
www.CareerCert.info
Enterprise Teleworker Module
DESGN v2.02-21
www.CareerCert.info
Summary
Based on SONA, the Cisco Enterprise Architecture provides a modular enterprise-wide hierarchical approach for providing network infrastructure and services to all places in the network. The enterprise campus infrastructure module includes the campus infrastructure module and the server farm module. The enterprise edge modules include the e-commerce module, the Internet connectivity module, the remote access and VPN module, and the WAN and MAN and site-to-site modules. The remote enterprise modules include the remote branches, data centers, and teleworkers.
DESGN v2.02-22
www.CareerCert.info
DESGN v2.02-23
www.CareerCert.info
Using Infrastructure Services
DESGN v2.02-1
www.CareerCert.info
Explaining the Role of Infrastructure Services
DESGN v2.02-2
www.CareerCert.info
Modularizing Internal Security
DESGN v2.02-3
www.CareerCert.info
Reasons for Internal Security

The enterprise campus is protected by security functions in the enterprise edge: If the enterprise edge security fails, the unprotected enterprise campus is vulnerable. The potential attacker can gain physical access to the enterprise campus. Some network solutions require indirect external access to the enterprise campus. All vital elements in the enterprise campus must be protected independently.
DESGN v2.02-4
www.CareerCert.info
External Threats
DESGN v2.02-5
www.CareerCert.info
Designing High Availability

Analyze the business and technical goals. Identify critical applications, systems, internetworking devices, and links. Document the trade-offs between redundancy and cost and simplicity versus complexity. Duplicate any component whose failure could disable critical applications. Duplicate vital links and connect them to different devices.
DESGN v2.02-6
www.CareerCert.info
Designing Route Redundancy

Design redundant routes:
Minimize the effect of link failures. Minimize the effect of an internetworking device failure.
Make the connection redundant:

Parallel physical links between switches and routers Backup LAN and WAN links
Make the network redundant:

Full mesh to provide complete redundancy and good performance Partial mesh, which is cheaper and more scalable
DESGN v2.02-7
www.CareerCert.info
Example: Campus Infrastructure Redundancy
The building access network is partially meshed with the building distribution switches. The building access switch has a chance to recover from a link or building distribution switch failure.
DESGN v2.02-8
www.CareerCert.info
Example: Enterprise Edge Redundancy
The remote site establishes a backup connection via an IPsec tunnel across the Internet.
DESGN v2.02-9
www.CareerCert.info
High Availability in the Server Farm Module

Single attachmentnot recommended: Requires alternative mechanisms to dynamically find an alternative router Dual attachment to increase availability and prevent session loss: Attachment through a redundant transceiver Attachment through a redundant NIC Fast EtherChannel and Gigabit EtherChannel port bundles
DESGN v2.02-10
www.CareerCert.info
Example: Attachment Through a Redundant Transceiver
Transceiver activates backup link on primary link failure. Transceiver cannot detect failures beyond physical link.
DESGN v2.02-11
www.CareerCert.info
Example: Attachment Through a Redundant NIC
Device driver presents two NIC cards as a single logical interface. This setup uses one MAC address on both interfaces. Backup card is activated when the primary link is gone.
DESGN v2.02-12
www.CareerCert.info
Voice Transport Overview

Two implementations: Voice over IP: Uses analog phones. Transports voice packets over the IP network using voice-enabled routers. IP telephony: Implements voice in the network using Cisco Unified CallManager and IP phones. Both implementations require properly designed networks. All modules of the enterprise network are involved in the voice network solution.
DESGN v2.02-13
www.CareerCert.info
IP Telephony Components
DESGN v2.02-14
www.CareerCert.info
Modular Approach in Voice Network Design
DESGN v2.02-15
www.CareerCert.info
Example: Voice Network Solution
DESGN v2.02-16
www.CareerCert.info
Evaluating the Existing Data Infrastructure for Voice Design

Document and evaluate the existing data infrastructure in each enterprise network module in terms of:
New voice performance requirements Availability requirements Feature requirements Potential network capacity or impact
DESGN v2.02-17
www.CareerCert.info
Wireless LAN Overview

Supports connecting mobile clients to the enterprise network Transports packets over radio waves Has connectivity and privacy issues not found in wired networks Can have implications for all modules of the enterprise network
DESGN v2.02-18
www.CareerCert.info
Centralized WLAN Model Components
DESGN v2.02-19
www.CareerCert.info
Application Networking Services Introduction

Traditional networks handled static web pages, e-mail, and routine client-server applications. Applications are evolving into complex and highly visible services. Application deployment issues are emerging. Consolidation of data centers can result in lower productivity for remote users. A web-based ordering system may suffer because of poor responsiveness. Business partners may need immediate and secure electronic access to back-office applications. A purchasing application may need to track large orders.
DESGN v2.02-20
www.CareerCert.info
ANS Can Resolve Application Issues

Wide-area application services can compress, cache, and optimize content. Optimization of the web streams can reduce latency, suppress unnecessary reloading of web objects, and offload the web server. Security and remote connectivity services can validate requests, route them appropriately, and encrypt and prioritize responses. Application messaging services interpret purchase orders and log large orders according to business policy rules.
DESGN v2.02-21
www.CareerCert.info
Example: ANS Components
DESGN v2.02-22
www.CareerCert.info
Summary
Network infrastructure services add intelligence to the network infrastructure, supporting application awareness within the network. Security is a network infrastructure service that increases the integrity of the network by protecting network resources and users from internal and external threats. High-availability services protect the integrity of mission-critical information with networking platforms and topologies that offer a sufficient level of resiliency.
DESGN v2.02-23
www.CareerCert.info
Summary (Cont.)
Voice infrastructure services throughout the enterprise are needed to support IP telephony. Wireless services support mobile clients and integrate with the wired network. Cisco ANS optimizes website performance, content delivery, and the security and connectivity of applications.
DESGN v2.02-24
www.CareerCert.info
DESGN v2.02-25
www.CareerCert.info
Identifying Network Management Protocols and Features

DESGN v2.02-1
www.CareerCert.info
Network Management Overview
DESGN v2.02-2
www.CareerCert.info
SNMP Overview
Manager:
Polls agents on the network Correlates and displays information
SNMP:
Supports message exchange Runs on IP
Agent:
Collects and stores information Responds to manager requests for information Generates traps
MIB:
Database of objects (information variables) Read and write community strings for controlling access
DESGN v2.02-3
www.CareerCert.info
SNMPv1 Message Types
DESGN v2.02-4
www.CareerCert.info
SNMP Version 2
SNMPv2 introduced in RFC 1441 SNMPv2C defined in RFC 1901 SNMPv2 new features: Get Bulk Request Inform Request Data types with 64-bit values
DESGN v2.02-5
www.CareerCert.info
SNMP Version 3
RFCs 3410 through 3415 Authentication and privacy Authorization and access control Usernames and key management Remotely configurable via SNMP operations Available since Cisco IOS Software Release 12.0
DESGN v2.02-6
www.CareerCert.info
MIB Definition
Collection of managed objects Each object has a unique identifier Objects are grouped into a tree Standard MIBs = RFC xxxx Private MIBs
DESGN v2.02-7
www.CareerCert.info
Example: Cisco Router MIB

Standard managed objects: Interfaces Buffers Memory Standard protocols Private extensions to MIB-II: 1.3.6.1.4.1.9 or iso.org.dod.internet.private.enterprise.cisco Definitions available at http://www.cisco.com/public/mibs
Private managed objects: Small, medium, large, and huge buffers Primary and secondary memory Proprietary protocols
www.CareerCert.info
Example: Variable Retrieval

Base format to retrieve the number of errors on an interface
iso org dod internet mgmt mib interface ifTable ifEntry ifOutErrors 1 3 6 1 2 1 2 2 1 20
Specific format to retrieve the number of errors on first interface

iso org dod internet mgmt mib interface ifTable ifEntry ifOutErrors Instance 1 3 6 1 2 1 2 2 1 20 0
DESGN v2.02-9
www.CareerCert.info
RMON1
Supports proactive monitoring of LAN traffic: Network fault diagnosis Planning Performance tuning Works on MAC layer data: Monitors only the aggregate LAN traffic for remote LAN segments Traffic statistics and analysis Implemented on agents: Routers, switches, hubs, servers, hosts, and dedicated probes
DESGN v2.02-10
www.CareerCert.info
RMON1 Groups (RFC 1513 and 2819)
DESGN v2.02-11
www.CareerCert.info
RMON2
DESGN v2.02-12
www.CareerCert.info
RMON2 (RFC 2021)
DESGN v2.02-13
www.CareerCert.info
NetFlow Infrastructure
DESGN v2.02-14
www.CareerCert.info
NetFlow vs. RMON Information Gathering

NetFlow can be configured on individual interfaces. NetFlow gathers more detailed information:
Source and destination interface numbers Source and destination IP addresses TCP/UDP source port and destination ports Number of bytes and packets in the flow Source and destination autonomous system (AS) numbers IP type of service
NetFlow provides greater scalability, customized data collection, and a lower performance impact.
DESGN v2.02-15
www.CareerCert.info
Applications Using NetFlow

Accounting and billing Network planning and analysis Network and security monitoring Application monitoring and profiling User monitoring and profiling NetFlow data warehousing and mining
DESGN v2.02-16
www.CareerCert.info
Cisco Discovery Protocol

Upper-Layer Entry Addresses Cisco Proprietary Data Link Protocol TCP/IP Novell IPX AppleTalk Others
CDP LANs
CDP
Frame Relay
CDP
ATM
CDP
Others
Media Supporting SNAP CDP = Cisco Discovery Protocol
Provides a summary of directly connected switches, routers, and other Cisco devices Discovers neighbor devices regardless of which protocol suite they are running Requires that physical media support SNAP encapsulation
DESGN v2.02-17
www.CareerCert.info
Discovering Neighbors with Cisco Discovery Protocol
DESGN v2.02-18
www.CareerCert.info
Syslog Features
Devices produce syslog messages. Syslog messages contain level and facility. Common syslog facilities: IP OSPF protocol SYS operating system IP Security (IPsec) Route Switch Processor (RSP) Interface (IF) Syslog levels: Emergency (level 0, highest level) Alert (level 1) Critical (level 2) Error (level 3) Warning (level 4) Notice (level 5) Informational (level 6) Debugging (level 7)
DESGN v2.02-19
www.CareerCert.info
Example: Syslog Messages
DESGN v2.02-20
www.CareerCert.info
Syslog Architecture
Centralized syslog daemon Remote syslog daemons: Support for syslog filters Low bandwidth utilization
DESGN v2.02-21
www.CareerCert.info
Summary
Network management is supported with various devices and servers that use network management protocols and standards. SNMP is a simple network management protocol that is the foundation of a network management architecture. A MIB stores local management agent information on a managed device. RMON is a MIB that supports proactive management of remote networks. NetFlow collects network flow data to support network accounting, usage-based billing, planning, performance monitoring, and QoS applications. Cisco Discovery Protocol is a Cisco proprietary protocol that enables you to discover Cisco devices on the network. Syslog reports system state information based on preset facilities and severity levels.
DESGN v2.02-22
www.CareerCert.info
DESGN v2.02-23
www.CareerCert.info
Module Summary
The hierarchical network structure is composed of the access, distribution, and core layers. Based on Cisco SONA, the Cisco Enterprise Architecture provides a modular hierarchical approach for providing network infrastructure and services to all places in the network. Network infrastructure services add intelligence to the network infrastructure, supporting application awareness within the network. Network management protocols support the exchange of management information between the network management system and managed devices.
DESGN v2.02-1
www.CareerCert.info
DESGN v2.02-2
www.CareerCert.info
Designing Basic Campus and Data Center Networks
DESGN v2.03-1
www.CareerCert.info
Describing Campus Design Considerations

Designing Basic Enterprise Campus Networks
DESGN v2.03-1
www.CareerCert.info
Designing an Enterprise Campus

Campus design factors:
Network applications characteristics Device characteristics Environmental characteristics
DESGN v2.03-2
www.CareerCert.info
Overview of Network Application Types

Peer-to-peer Client-local server Client-server farm Client-enterprise edge Server
DESGN v2.03-3
www.CareerCert.info
Network Requirements of Applications

Connectivity type Total required throughput High availability Total network costs
DESGN v2.03-4
www.CareerCert.info
Example: Peer-to-Peer Applications

Instant messaging File sharing IP phone calls Video conference systems
DESGN v2.03-5
www.CareerCert.info
Example: Client-Local Server Applications

Servers are located close to clients. Servers and clients are in the same LAN. Request to servers from nonlocal LANs is rare.
DESGN v2.03-6
www.CareerCert.info
Example: Client-Server Farm Applications

Typical applications:
Mail servers File servers Database servers
Access to applications:
Fast Reliable Controlled (security)
DESGN v2.03-7
www.CareerCert.info
Example: Client-Enterprise Edge Applications

Typical applications:
Internet applications Mail servers Web servers Public Internet servers E-commerce applications
DESGN v2.03-8
www.CareerCert.info
Relative Network Requirements by Application Type

Client-Local Servers Switched Medium Medium Medium Client-Server Farm Switched High High High Client-Enterprise Edge Servers Switched Medium High Medium
Peer-to-Peer Connectivity type Total required throughput High availability Total network costs Switched Medium to high Low to high Low to medium
DESGN v2.03-9
www.CareerCert.info
Environmental Characteristics for Network Design

The network devices and distances between them determine the network geography. The campus network design is scoped with respect to geography: Intrabuilding Interbuilding Distant remote buildings
DESGN v2.03-10
www.CareerCert.info
Intrabuilding Structure
Provides connectivity inside the building Built with the building access and building distribution layers Transmission options: Copper Optical fiber Wireless
DESGN v2.03-11
www.CareerCert.info
Interbuilding Structure
Connectivity between buildings Distances between buildings within a few kilometers Building distribution with campus core layer Typical transmission media: optical fiber
DESGN v2.03-12
www.CareerCert.info
Distant Remote Building Structure

Metropolitan-based network connectivity options: Using company-owned fiber Through enterprise WAN Through service provider offerings
WAN
DESGN v2.03-13
www.CareerCert.info
Campus Transmission Media

Physical media in network design influences: Network bandwidth Allowable distance between devices Copper design considerations: Electromagnetic interference, grounding, security Signal attenuation, distance limitations Optical fiber design considerations: Light signal (LED or laser) Expensive, providing a long-term investment Wireless design considerations: Distance, interference, bandwidth, security
DESGN v2.03-14
www.CareerCert.info
Comparison of Campus Transmission Media

Copper Twisted Pair Bandwidth Distance Up to10 Gbps Up to 100 m
Multimode Fiber Up to10 Gbps Up to 2 km (Fast Ethernet) Up to 550 m (Gigabit Ethernet) Up to 300 m (10 Gigabit Ethernet)
Single-Mode Fiber Up to10 Gbps or higher Up to 80 km (Fast Ethernet) Up to 100 m (Gigabit Ethernet) Up to 80 km (10 Gigabit Ethernet) Moderate to expensive
Wireless Up to 54 Mbps* Up to 500 m at 1 Mbps
Price
Inexpensive
Moderate
Moderate
*Wireless is half-duplex, so effective bandwidth will be no more than one half this rate.
DESGN v2.03-15
www.CareerCert.info
Example: Transmission Media
DESGN v2.03-16
www.CareerCert.info
Infrastructure Device Characteristics

Switches connect end devices as well as infrastructure devices:
Access layer is typically data link layer switches. Distribution and core layer typically use multilayer switches.
Switch type and switching layer decision is influenced by:

Infrastructure services requirements(QoS, including policing, and so on) Size of the network segments Expected network failure convergence times Cost
DESGN v2.03-17
www.CareerCert.info
Example Network Service: QoS in LAN Switches
Enterprise QoS guarantees that critical applications receive the required bandwidth or services.
www.CareerCert.info
Summary
Campus network design is influenced by several factors; first by applications characteristics, such as throughput and availability requirements. Second are environmental characteristics, such as the location of devices and buildings and transmission media. Third are infrastructure device characteristics, such switching type and support for network services.
DESGN v2.03-19
www.CareerCert.info
DESGN v2.03-20
www.CareerCert.info
Designing the Campus Infrastructure Module
DESGN v2.03-1
www.CareerCert.info
Relative Considerations for the Campus Design

Campus Infrastructure Building Access Technology Scalability High availability Performance Cost per Port Data Link Layer/ Multilayer Switched High Medium Medium Low Building Distribution Multilayer Switched Medium Medium Medium Medium Campus Core Multilayer Switched Low High High High Server Farm Multilayer Switched Medium High High High
DESGN v2.03-2
www.CareerCert.info
Building Access Layer Design Considerations

Number of users or ports Cabling Performance Redundancy Connectivity speed for hosts and uplinks VLAN deployment Additional features such as QoS and IP multicast
DESGN v2.03-3
www.CareerCert.info
Overview of Recommended Practices for the Building Access Layer

Manage VLANs and STP: Limit VLANs to a single closet whenever possible. If STP is required, use RPVST+. Set trunks to desirable and desirable with negotiate. Manually prune unused VLANs. Use VTP transparent mode. Manage trunks between switches. Manage default PAgP settings between the catalyst operating system and Cisco IOS Software. Consider implementing routing in the access layer.
DESGN v2.03-4
www.CareerCert.info
STP Considerations
Use only when you have to!
Required when a VLAN spans access layer switches Required to protect against user side loops More common in the data center
Use RPVST+ for best convergence. Take advantage of the Spanning Tree Toolkit.
DESGN v2.03-5
www.CareerCert.info
Cisco STP Toolkit

PortFast: Bypass listening-learning phase for access port* UplinkFast: Three to five seconds convergence after link failure BackboneFast: Cuts convergence time by max_age for indirect failure LoopGuard: Prevents alternate or root port from becoming designated in absence of BPDUs* RootGuard: Prevents external switches from becoming root* BPDUGuard: Disable PortFast-enabled port if a BPDU is received*
* Also supported with RPVST+
DESGN v2.03-6
www.CareerCert.info
Trunk Considerations
Set trunk mode to desirable and desirable and encapsulation negotiate on Manually prune all VLANS except those needed Use VTP transparent mode to decrease potential for operational error Disable trunks on host ports: Catalyst Operating System: set port host Cisco IOS Software: switchport host
DESGN v2.03-7
www.CareerCert.info
Layer 3 Access-to-Distribution Interconnection
Best option for fast convergence Equal-cost Layer 3 load balancing on all links No spanning tree required for convergence No HSRP or GLBP configuration required No VLAN spanning possible
www.CareerCert.info
Building Distribution Layer Design Considerations

Performance Redundancy Support for network infrastructure services
DESGN v2.03-9
www.CareerCert.info
Overview of Recommended Practices for the Building Distribution Layer

Use first-hop redundancy protocols (HSRP and GLBP). Deploy Layer 3 routing protocols from distribution switches to core switches. If required, connect distribution switches to support Layer 2 VLAN spanning multiple access switches.
DESGN v2.03-10
www.CareerCert.info
Recommended Practices First-Hop Redundancy

Provides a resilient default gateway or first-hop address to end stations with HSRP, VRRP, or GLBP HSRP, VRRP, and GLBP provide millisecond timers and excellent convergence performance HSRP common in Cisco environments VRRP if you need multi-vendor interoperability GLBP facilitates uplink load balancing
DESGN v2.03-11
www.CareerCert.info
Recommended PracticesUse Layer 3 Routing Protocols

Build triangles, not squares, for deterministic convergence. Only peer on links that you intend to use as transit. Summarize routes from distribution to core.
DESGN v2.03-12
www.CareerCert.info
Example: Build Redundant Triangles
Layer 3 redundant equal cost links support fast convergence. Hardware basedrecovery to remaining path is fast. Convergence is extremely fast (dual equal-cost paths: no need for OSPF or EIGRP to recalculate a new path).
www.CareerCert.info
Layer 3 Distribution Interconnection
Recommended practicetried and true No STP convergence required for uplink failure and recovery Distribution-to-distribution link required for route summarization Map Layer 2 VLAN number to Layer 3 subnet for ease of use and management
www.CareerCert.info
Alternate: Layer 2 Distribution Interconnection
Use only if Layer 2 VLAN spanning flexibility required STP convergence required for uplink failure and recovery More complex because STP root and HSRP should match Distribution-to-distribution link required for route summarization
www.CareerCert.info
Campus Core Design Considerations

Determine if core is needed. Determine performance and capacity needed. Determine redundancy. Determine if enterprise edge and WAN connectivity is to core or data center.
DESGN v2.03-16
www.CareerCert.info
Example: Large Campus Multilayer Switched Backbone Design

Reduced multilayer switch peering Topology with no spanning-tree loops Scalability to arbitrarily large size Improved network services support Two equal-cost paths to every destination network Fast recovery from link failure
DESGN v2.03-17
www.CareerCert.info
Small and Medium Campus Design Options
DESGN v2.03-18
www.CareerCert.info
Edge Distribution Design

Edge distribution switches have to protect the campus core from: Unauthorized access IP spoofing Network reconnaissance Packet sniffers
DESGN v2.03-19
www.CareerCert.info
Server Placement in a Medium-Sized Network
DESGN v2.03-20
www.CareerCert.info
Server Placement in a Large Network
DESGN v2.03-21
www.CareerCert.info
Server Farm Design Guidelines

Key design considerations: Access control Traffic demands Oversubscription Server connectivity options: Single NIC Dual-NIC redundancy Content switching (server load balancing)
DESGN v2.03-22
www.CareerCert.info
Summary
Design an enterprise campus network using recommended practices:
Use low price per port and high port density on data link layer switches for the building access layer. Use redundant multilayer switching in the building distribution layer for high availability and performance. Use high-performance wire-rate multilayer switching in the campus core design. Group centralized servers into a server farm module for moderate enterprise server requirements.
DESGN v2.03-23
www.CareerCert.info
DESGN v2.03-24
www.CareerCert.info
Describing Enterprise Data Center Considerations
DESGN v2.03-1
www.CareerCert.info
Server-Centric to Service-Centric
DESGN v2.03-2
www.CareerCert.info
Cisco Data Center Network Architecture Framework
DESGN v2.03-3
www.CareerCert.info
Example: Data Center Network Topology
IBM
3d icons not available

www.CareerCert.info
Data Center Infrastructure Overview
DESGN v2.03-5
www.CareerCert.info
Defining the Data Center Access Layer

Can support Layer 2 or Layer 3 access Provides port density to server farm Supports dual and single-attached servers Provides high-performance, low-latency Layer 2 switching Mix of oversubscription requirements Many uplink options
DESGN v2.03-6
www.CareerCert.info
Density and Scalability Implications

Where are the issues? Cabling Power Cooling
7 DESGN v2.03-7
www.CareerCert.info
Defining the Data Center Aggregation Layer

Aggregates traffic to data center core Aggregates advanced application and security functions Maintains connection and session state for redundancy Layer 47 services: firewall, server load balancing, SSL, IDS Large STP processing load High flexibility and economies of scale
DESGN v2.03-8
www.CareerCert.info
Defining the Data Center Core Layer

Drivers for a data center core:
10-Gigabit Ethernet port density Administrative domains Anticipate future requirements
Key core characteristics:

Distributed forwarding architecture Low latency switching 10-Gigabit Ethernet scalability Scalable IP multicast support
DESGN v2.03-9
www.CareerCert.info
Summary
Enterprise data centers support a rich set of applications and servers. The SONA-based Cisco Enterprise Data Center Architecture provides a modular hierarchical approach to align data center resources with business applications.
DESGN v2.03-10
www.CareerCert.info
DESGN v2.03-11
www.CareerCert.info
Enterprise Campus and Data Center Design Review

Analyze organizational requirements: Type of applications, traffic volume, and traffic pattern Redundancy and backup needed Characterize the existing network and sites: Technology used and location of hosts, servers, terminals, and other end nodes Develop enterprise campus and enterprise data center network designs: Based on requirements, implement two or three hierarchical layers. Select hardware and software components to support requirements.
DESGN v2.03-1
www.CareerCert.info
Module Summary
Campus network design is influenced by application, environmental, and infrastructure device characteristics. An enterprise campus network is constructed hierarchically with building access, building distribution, and campus core layers. An enterprise data center network is constructed hierarchically, with data center access, data center aggregation, and data center core layers.
DESGN v2.03-2
www.CareerCert.info
DESGN v2.03-3
www.CareerCert.info
DESGN v2.04-1
www.CareerCert.info
Identifying WAN Technology Considerations
DESGN v2.04-1
www.CareerCert.info
Role of a WAN
DESGN v2.04-2
www.CareerCert.info
Types of WAN Interconnections
DESGN v2.04-3
www.CareerCert.info
WAN Transport Technology Comparison

Bandwidth TDM ISDN Frame Relay ATM MPLS Metro Ethernet DSL Cable modem Wireless SONET/SDH DWDM Dark fiber
*Unbalanced
Latency and Jitter
Connect Time
Tariff
Initial Cost
Reliability
M L L M/H M/H M/H L/M* L/M* L/M H H H

Tx and Rx
L M/H L L L L M/H M/H M/H L L L
L M L L L L L L L L L L
M M M M M M L L L M M M
M L M M M M L M M H H H
M M M H H H M L L H H H
L = low, M = medium, H = high
DESGN v2.04-4
www.CareerCert.info
Example: ADSL Implementation
DESGN v2.04-5
www.CareerCert.info
Example: Data and Voice over Cable
DESGN v2.04-6
www.CareerCert.info
Example: Three Uses of Wireless
DESGN v2.04-7
www.CareerCert.info
Example: SONET/SDH
Guaranteed bandwidth High line rates (from 155 Mbps to 10 Gbps) Automatic recovery capabilities IP encapsulations: ATM or packet over SONET/SDH (POS)
www.CareerCert.info
Example: DWDM
Improved signaling mechanisms to optimize bandwidth usage Used inside the SONET/SDH ring
DESGN v2.04-9
www.CareerCert.info
Example: Dark Fiber
Edge devices directly connected to regenerators or DWDM concentrators Edge devices able to use any Layer 2 encapsulation
DESGN v2.04-10
www.CareerCert.info
WAN Transport Technology Pricing Considerations

Pricing used to include an access circuit and a distance-sensitive rate. Access circuit provisioning generally takes 60 days or more lead time. Metro Ethernet availability is spotty, and lead times are long. For Frame Relays and ATM, pricing includes an access circuit charge, per-PVC and possibly per-bandwidth (CIR or MIR) charges. MPLS VPN pricing is generally comparable with Frame Relays and ATM.
DESGN v2.04-11
www.CareerCert.info
WAN Transport Technology Contract Considerations

Tariffed commercial services are at published rates and subject to restrictions. Time to contract can be one month for standard tariff rates, longer if you negotiate SLAs. Contract periods are usually one to five years for most WAN services. For dark fiber, contract periods are generally 20 years.
DESGN v2.04-12
www.CareerCert.info
Methodology Used in Enterprise Edge Design

Planning and designing the enterprise edge is based on the PPDIOO methodology:
Analyze network requirements, including type of applications, traffic volume, and traffic patterns. Characterize the existing network for technology used and location of hosts, servers, terminals, and other end nodes. Design the topology based on availability of technology, the projected traffic pattern, and technology performance constraints and reliability.
DESGN v2.04-13
www.CareerCert.info
Identifying Application Requirements

Data File Transfer Response time Reasonable Interactive Data Application Within a second Real-Time Voice Round trip less than 250 ms with delay and with low jitter Low/low Low Real-Time Video Minimum delay and jitter High/medium Minimum
Throughput and packet loss tolerance Downtime (high reliability has low downtime)
High/medium Reasonable
Low/low Low
Zero Downtime for Mission-Critical Applications
DESGN v2.04-14
www.CareerCert.info
Determining the Maximum Offered Traffic
WAN resources have finite capacity. End users require minimum response times. Network managers require maximum link utilization.
DESGN v2.04-15
www.CareerCert.info
Determining Physical Media Bandwidth

Bandwidth <= 1.5/2 Mbps From 1.5/2 Mbps to 45/34 Mbps ADSL (8 Mbps downstream From 45/34 Mbps to 100 Mbps From 100 Mbps to 10 Gbps
Copper
Serial or async serial, ISDN, TDM, X.25, Frame Relay, ADSL
Fiber
Ethernet, TDM (T3 or E3)
Fast Ethernet, ATM over SONET/SDH, POS
10-Gigabit Ethernet, Gigabit Ethernet, ATM over SONET/SDH, POS
Coaxial
Shared bandwidth: 27 Mbps downstream, 2.5 upstream Varies based on distance and RF quality
2.4/5 GHz WAN wireless
DESGN v2.04-16
www.CareerCert.info
Evaluating Cost-Effectiveness of Design and Implementation

Investment and Running Costs Private Leased Shared Owner must buy, configure, and maintain the physical layer connectivity and the terminal equipment that connects each location. Fixed bandwidth is leased from a carrier company with private or leased terminal equipment. Physical resources in campus backbone are shared with many users.
DESGN v2.04-17
www.CareerCert.info
Bandwidth Usage in a WAN

Optimize the bandwidth usage on WAN links to improve network efficiency using:
Data compression: Reduces the size of a frame of data to transmit over a network link Bandwidth combination: Logically aggregates physical links Window size: Adjusts link reliability versus throughput Queuing: Avoids congestion for some traffic by giving it priority over other traffic Traffic shaping and policing: Avoids congestion by policing inbound and outbound flows
DESGN v2.04-18
www.CareerCert.info
Queuing to Improve Link Utilization

Queuing allows network administrators to manage varying demands of applications on networks and routers. Key types of queuing: Priority queuing Custom queuing Weighted fair queuing Class-based weighted fair queuing Low latency queuing
DESGN v2.04-19
www.CareerCert.info
Traffic Shaping and Policing
Usually found on egress ports, shaping buffers excess traffic, using a token bucket mechanism to release packets. Policers typically tag or drop traffic, depending on the mechanism, protocol, and severity of offense. Policing, historically in ATM, is on ingress ports and uses a leaky bucket mechanism.
www.CareerCert.info
Data Compression and QoS to Optimize Bandwidth Usage
DESGN v2.04-21
www.CareerCert.info
Summary
A WAN is a communications network that covers a relatively broad geographic area and carries a variety of traffic types using transmission facilities that are typically provided by service providers. The multiple WAN transport technologies vary in bandwidth, performance characteristics, and cost. In WAN design, enterprise edge connectivity requirements influence the trade-off between the cost of bandwidth and bandwidth efficiency.
DESGN v2.04-22
www.CareerCert.info
DESGN v2.04-23
www.CareerCert.info
Designing the Enterprise WAN
DESGN v2.04-1
www.CareerCert.info
Traditional WAN Technologies

Description Leased lines Circuit-switched PSTN (phone service, analog modems, ISDN) A service provider establishes a dedicated connection. A dedicated circuit path is established for the duration of a call. ISDN combines voice, data, and backup. Packet- and cell-switched (Frame Relay, SMDS, ATM, MPLS) A service provider creates PVCs or SVCs. ATM uses cells and provides support for multiple QoS classes.
DESGN v2.04-2
www.CareerCert.info
WAN Topologies
DESGN v2.04-3
www.CareerCert.info
Designing the Remote-Access Network

Objective: Provide a unified solution for remote access Grant the connection seamlessly, as if in company headquarters Application requirements include: Low to medium-volume data file transfer and interactive traffic for teleworkers and traveling workers Voice services for teleworkers Connectivity option: IP access through an on-demand or always-on connection Technologies include dial-up, DSL, cable, and wireless
DESGN v2.04-4
www.CareerCert.info
Overview of Virtual Private Networks
DESGN v2.04-5
www.CareerCert.info
Connectivity Option: Overlay VPN
VPNs may replace dedicated point-to-point links with emulated point-to-point links sharing common infrastructure.
DESGN v2.04-6
www.CareerCert.info
Connectivity Option: Virtual Private DialUp Network
DESGN v2.04-7
www.CareerCert.info
Connectivity Option: Peer-to-Peer VPN

Provider participates in the enterprise routing:
Uses MPLS VPN technology Enables organization to use any IP address space No overlapping IP address space problems
DESGN v2.04-8
www.CareerCert.info
Benefits of VPNs
DESGN v2.04-9
www.CareerCert.info
WAN Backup Technologies
Backup options:
Dial backupanalog or ISDN Permanent secondary WAN link Shadow PVC IPsec tunnel across Internet
www.CareerCert.info
Example: Permanent Secondary WAN Link
DESGN v2.04-11
www.CareerCert.info
Example: Shadow PVC
DESGN v2.04-12
www.CareerCert.info
WAN Backup over the Internet
DESGN v2.04-13
www.CareerCert.info
Layer 3 Tunneling
GRE can encapsulate a variety of protocol types inside IP tunnels. It is simple and flexible for basic IP VPNs. Packet payload is not encrypted. Provisioning of tunnels is not very scalable. IPsec encapsulates IP inside of IPsec tunnels. Packet payload can be encrypted. IPsec receiver can authenticate source of packets. It uses IKE and PKI.
DESGN v2.04-14
www.CareerCert.info
Enterprise WAN Architecture Considerations

Support for network growth Appropriate availability Operational expense Operational complexity Voice and video support Effort and cost to implement Support of network segmentation
DESGN v2.04-15
www.CareerCert.info
Cisco Enterprise MAN and WAN Architecture

Private WAN (optionally encrypted) ISP service through site-to-site and remote-access IPsec VPN Service provider-managed IP or MPLS VPN Self-deployed MPLS
DESGN v2.04-16
www.CareerCert.info
Cisco Enterprise WAN and MAN Architecture Comparison

Private WAN Secure transport High availability Multicast Voice and video support Scalable network growth Easily shared WAN links Operational costs Network control Effort to migrate from private to WAN
ISP Service IPsec (mandatory) Good Good Low Good Moderate Low Moderate Moderate
SP MPLS and IP VPN IPsec (mandatory) Excellent Good Excellent Excellent Moderate Moderate, depends on transport Moderate Moderate
Self-Deployed MPLS IPsec (mandatory) Excellent Excellent Excellent Excellent Excellent Moderate to high High High
DESGN v2.04-17
IPsec (optional) Excellent Good Excellent Moderate Moderate High High Low
www.CareerCert.info
Example: Cisco WAN Architectures in the Healthcare Environment
DESGN v2.04-18
www.CareerCert.info
Selecting Enterprise Edge Hardware Components and Software Features

Hardware selection incorporates the selection of data link layer functions and features of a particular device Considerations: Port density, packet throughput, future expandability, redundancy Software selection focuses on network layer performance Considerations: Forwarding decisions, bandwidth optimization, security
DESGN v2.04-19
www.CareerCert.info
Cisco IOS Software in the Network
Cisco IOS Software T

IP Services and Ease of Deployment Broadband access Mobility and wireless Data center Security IP communications
Cisco IOS Software S

IP Services and Infrastructure High-end enterprise core Service provider edge Virtual Private Networks (MPLS, Layer 2 and Layer 3) Video and content multicast
Cisco IOS Software XR

Scale and Availability Large-scale networks High availability In-service software upgrade
DESGN v2.04-20
www.CareerCert.info
Cisco IOS Packaging
DESGN v2.04-21
www.CareerCert.info
Cisco IOS Packaging Technology Segmentation

Data Connectivity IP Base IP Voice Advanced Security Enterprise Base SP Services Advanced IP Services Enterprise Services Advanced Enterprise Services X X X X X X X X X X X X X X X X X X X X X X X VoIP and VoFR ATM, VoATM, MPLS AppleTalk, IPX, IBM Protocols Firewall, IDS, VPN
DESGN v2.04-22
www.CareerCert.info
Comparing Router Platforms and Software Functions

Hardware 800, 1800, 2800, 3800, 7200 7200, 7301, 7304, 7500, 10K 7600 Software Cisco IOS T Releases 12.3, 12.4, 12.3T, 12.4T Cisco IOS S Release 12.2SB Cisco IOS S Release 12.2SR Function Supports access routing platforms providing fast, scalable delivery of mission-critical enterprise applications Delivers midrange broadband and leased-line aggregation for enterprise and service provider edge networks Delivers high-end Ethernet LAN switching for enterprise access, distribution, core, and data center deployments, and high-end Metro Ethernet for service provider edge Provides massive scale, continuous system availability, and service flexibility for service provider core and edge. (Takes advantage of the massively distributed processing capabilities of the Cisco CRS-1 routing system and the Cisco 12000)
12000, CRS-1
Cisco IOS XR
DESGN v2.04-23
www.CareerCert.info
Comparing Multilayer Switch Platforms and Software Functions

Hardware 800, 1800, 2800, 3800, 7200 4500, 4900 Software Cisco IOS S Release 12.2SE Cisco IOS S Release 12.2SG Function Provides low-end to midrange Ethernet LAN switching for enterprise access and distribution deployments Provides midrange Ethernet LAN switching for enterprise access and distribution deployments in the campus, and supports Metro Ethernet Delivers high-end Ethernet LAN switching for enterprise access, distribution, core, and data center deployments, and high-end Metro Ethernet for service provider edge
6500
Cisco IOS S Release 12.2SX
Use the Cisco Feature Navigator to find the right Cisco IOS and Catalyst operating system software release and features.
DESGN v2.04-24
www.CareerCert.info
Summary
Traditional WAN technologies include leased lines, circuit-switched PSTN, and packet-switched networks. Remote-access networks connect teleworkers and traveling employees. A VPN provides connectivity over a shared infrastructure with the same policies and performance as a private network. WAN backup strategies are needed to provide high availability between remote sites. The Cisco Enterprise WAN and MAN Architecture provides integrated QoS, network security, reliability, and manageability. Enterprise WAN design includes selecting the appropriate components, including hardware and software.
DESGN v2.04-25
www.CareerCert.info
DESGN v2.04-26
www.CareerCert.info
Designing the Enterprise Branch
DESGN v2.04-1
www.CareerCert.info
Enterprise Branch Services
DESGN v2.04-2
www.CareerCert.info
Enterprise Branch Architecture
DESGN v2.04-3
www.CareerCert.info
Characterizing the Branch

Number of locations Number of existing devices Scalability needed High-availability requirements Security concerns Management concerns Wireless services needed Approximate budget
DESGN v2.04-4
www.CareerCert.info
Enterprise Branch Profiles
DESGN v2.04-5
www.CareerCert.info
Small Branch Office Design

Infrastructure components
Access router Layer 2 Switching (integrated or external stackable) Laptops, phones, printers
WAN services and backup

Internet deployment model T1 primary link ADSL secondary link
Network fundamentals
EIGRP High availabilityfloating statics, T1 with aDSL QoSshaping, policing, scavenger class (applied to both switch and router)
DESGN v2.04-6
www.CareerCert.info
Medium Branch Office Design

Dual access routers External stackable switch (Layer 2 or Layer 3) Laptops, phones, printers
WAN services
Private WAN deployment Dual Frame Relay links
EIGRP High availabilitydual routers, HSRP QoSshaping, policing, scavenger class (applied to both switch and router)
DESGN v2.04-7
www.CareerCert.info
Large Branch Office Design

Dual access routers for WAN edge Dual ASAs for firewalls Dual multilayer switching (stackable or modular) Laptops, phones, printers
WAN services
MPLS deployment model Dual links to WAN cloud
EIGRP High availabilitydual routers at every layer, HSRP Object tracking, ASA failover QoSshaping, policing, scavenger class (applied to all routers and switches)
DESGN v2.04-8
www.CareerCert.info
Comparison of Teleworking Options

Occasional Users Part-Time or Full-Time and Day Extenders
E-mail Web-based applications Mission-critical applications Real-time collaboration Voice over IP Video on demand, Cisco IP/TV Video conferencing Remote configuration and management Integrated security Resiliency and availability
Occasional Remote Worker Yes Yes Best effort Best effort Best effort Unlikely Unlikely No Basic No
Branch of One Yes Yes Prioritized Prioritized High quality High quality High quality Yes Full Yes
DESGN v2.04-9
www.CareerCert.info
Branch of One Architecture

Advanced applications support (voice, video) Centralized management IT managed security policies
Corporate-Pushed Security Policies (Not User-Managed)
Corporate Phone, Toll Bypass, Centralized Voice Mail
Integrated Security and Identity Services
DESGN v2.04-10
www.CareerCert.info
Summary
The Cisco Enterprise Branch Architecture provides enterprise services to remote users. You should characterize each branch location to develop a suitable design: Small branch office design typically uses a single WAN access router with one or two access switches to support up to 50 users. Medium branch office design typically uses two WAN access routers with multiple access switches to support up to 100 users. Large branch office design typically uses two WAN access routers, one or more multilayer distribution switches, and multiple access switches to support up to 100 to 1000 users. An enterprise teleworker design can use a small ISR with integrated switch ports and an always on VPN to support one teleworker.
www.CareerCert.info
DESGN v2.04-12
www.CareerCert.info
Remote Connectivity Design Review

Analyze network requirements: Type of applications, the traffic volume and traffic pattern Redundancy and backup needed Characterize the existing network and sites: Technology used, and location of hosts, servers, terminals and other end nodes Develop WAN and branch network design: Select WAN and branch technology to support requirements. Select hardware and software components to support requirements.
DESGN v2.04-1
www.CareerCert.info
Module Summary
Network application and connectivity requirements influence the WAN design. The Cisco Enterprise MAN and WAN architecture provides integrated QoS, network security, reliability, and manageability on: Private WANs ISP service through site-to-site and remote-access VPNs Service Provider-managed IP or MPLS VPNs The Cisco Enterprise Branch Architecture supports small, medium, large, and teleworker locations.
DESGN v2.04-2
www.CareerCert.info
DESGN v2.04-3
www.CareerCert.info

DESGN v2.05-1
www.CareerCert.info
Designing IP Addressing
DESGN v2.05-1
www.CareerCert.info
Prerequisite Knowledge
IPv4 address and mask structure IPv4 classes and CIDR Static addressing Dynamic addressing with DHCP DNS Private and public addresses NAT and PAT Static NAT Dynamic NAT Overloading
DESGN v2.05-2
www.CareerCert.info
Private and Public IPv4 Address Guidelines
DESGN v2.05-3
www.CareerCert.info
Network Size and IP Addressing Planning

How many locations are in the network? How many devices in each location? What are the IP addressing requirements for individual locations? What subnet size is appropriate?
DESGN v2.05-4
www.CareerCert.info
Determining General Network Topology
DESGN v2.05-5
www.CareerCert.info
IP Address Requirements by Location

Workstations Firewall and Net Device Interfaces Office Type IP Phones Router Interfaces Switches Layer 3
Location San Francisco Denver Houston Remote Office 1 Remote Office 2 Remote Office 3 Total
Reserve
Servers
Total 1290 441 329 28 35 21 2144
Main Regional Regional Remote Remote Remote
600 210 155 12 15 8 1000
35 7 5 1 1 1 50
600 210 155 12 15 8 1000
17 10 10 2 3 3 45
26 4 4 1 1 1 37
12 0 0 0 0 0 12
20% 20% 20% 10% 10% 10%
DESGN v2.05-6
www.CareerCert.info
IP Addressing Hierarchy
Reasons to implement include: Influence of IP addressing on routing Modular design and scalable solutions Support for route aggregation
DESGN v2.05-7
www.CareerCert.info
Route Summarization Groups

Benefits of hierarchical addressing include: Support for route summarization groups Efficient aggregation of routing advertisements Poorly designed IP addressing results in: Excess routing traffic, leading to additional bandwidth consumption Increased routing table recalculations, degrading router performance
DESGN v2.05-8
www.CareerCert.info
Example: Address Blocks by Location

Location Counts Rounded Power of 2 Address Block
San Francisco Campus Denver Region

Denver Office 1 Remote Office 1 Remote Office 2
1290
441 28 35
Houston Region
Houston Campus Remote Office 3 329 21
DESGN v2.05-9
www.CareerCert.info


1290
2048
441 28 35
512 64 64
Houston Region
Houston Campus Remote Office 3 329 21 512 64
DESGN v2.05-10
www.CareerCert.info


1290
2048 1024
441 28 35
512 64 64
Houston Region
1024
512 64
DESGN v2.05-11
www.CareerCert.info

Location Counts Rounded Power of 2 Address Block 172.16.0.0 172.16.7.255 /21 172.16.8.0 172.16.11.255 /22 172.16.8.0 172.16.9.255 /23 172.16.10.0 /26 172.16.10.64 /26 172.16.12.0 172.16.15.255 /22 172.16.12.0 172.16.13.255 /23 172.16.14.0 /26

1290
2048 1024
441 28 35
512 64 64
Houston Region
1024
512 64
DESGN v2.05-12
www.CareerCert.info
Example: Hierarchical IP Addressing Plan
DESGN v2.05-13
www.CareerCert.info
Example: Hierarchical IP Addressing Plan
DESGN v2.05-14
www.CareerCert.info
Managing IP Addresses
Using DHCP in the enterprise. Using DNS in the enterprise. Using NAT in the enterprise.
DESGN v2.05-15
www.CareerCert.info
Recommended Practices for IP Address Assignment

Method Criteria Node type Number of end user devices Renumbering Address tracking Additional parameters High availability Security concerns
Strategic Address Assignment Infrastructure devices such as routers and switches Up to 30 end-user devices Requires manual reconfiguration of all hosts Easy address tracking Manual configuration of all hosts required IP addresses are available at any time Minor security risk
Dynamic Address Assignment with DHCP End-user devices More than 30 end user devices Only DHCP server reconfiguration is needed Requires additional DHCP server configuration Only DHCP server needs to be configured Redundant DHCP server is required Any device gets IP address
DESGN v2.05-16
www.CareerCert.info
Example: IP Address Assignment Methods in an Enterprise Network
DESGN v2.05-17
www.CareerCert.info
Static vs. Dynamic Name Resolution

Names used to ease computer-human interaction Names resolved to IP addresses Different name resolution strategies: Static Dynamic
DESGN v2.05-18
www.CareerCert.info
Recommended Practices for Name Resolution

Method Criteria Number of hosts Isolated network Internet connectivity Frequent changes and addition of names Application depending on name resolution Static Name Resolution Up to 30 hosts Applicable Not applicable Not recommended Not recommended Dynamic Name Resolution More than 30 hosts Applicable Mandatory Recommended Recommended
DESGN v2.05-19
www.CareerCert.info
Using DNS for Name Resolution
DESGN v2.05-20
www.CareerCert.info
Example: Locating DHCP and DNS Servers in the Network
DESGN v2.05-21
www.CareerCert.info
IPv6 Address Structure
x:x:x:x:x:x:x:x, where x is 16 bits, represented by a hexadecimal number: 2031:0000:130F:0000:0000:09C0:876A:130B Can be also written as 2031:0:130F::9C0:876A:130B
DESGN v2.05-22
www.CareerCert.info
Benefits of IPv6 Addressing

Larger address space Globally unique IP addresses Site multihoming Header format efficiency Improved privacy and security Flow labeling capability Increased mobility and multicast capabilities
DESGN v2.05-23
www.CareerCert.info
IPv6 Address Scope Types

IPv6 address scope types: Unicast (one to one) Anycast (one to nearest) Multicast (one to many) Broadcast addresses not available
DESGN v2.05-24
www.CareerCert.info
IPv6 Address Types: Link-Local and Site-Local

Link-Local Address
Site-Local Address
DESGN v2.05-25
www.CareerCert.info
IPv6 Address Types: Global Aggregatable
Global Aggregatable Address
DESGN v2.05-26
www.CareerCert.info
IPv6 Routing Protocol Considerations
Interior Gateway Protocols (IGPs) for inside autonomous systems: RIPng EIGRP IPv6 OSPFv3 Integrated IS-IS Exterior gateway protocols (EGPs) for peering between autonomous systems: BGP+
www.CareerCert.info
IPv6 Address Assignment Strategies

Static:
Same as IPv4
Dynamic:
Link-local Stateless Stateful using DHCPv6
DESGN v2.05-28
www.CareerCert.info
IPv6 Name Resolution

Static: Same as IPv4 Dynamic (autoconfiguration): DNS server with IPv6 stack support
DESGN v2.05-29
www.CareerCert.info
IPv4- and IPv6-Aware Applications and Name Resolution
In a dual-stack case, an application is IPv4- and IPv6-enabled. The application decides which stack to use and asks DNS for the address.
DESGN v2.05-30
www.CareerCert.info
IPv4-to-IPv6 Transition Strategies

Three major transition strategies are available:
Dual stack (IPv4 and IPv6 coexist in the same device and networks) Tunneling (IPv6 packets are encapsulated into IPv4 packets) Translation (IPv6-only devices can talk to IPv4 devices)
DESGN v2.05-31
www.CareerCert.info
Dual-Stack Mechanism
Both IPv4 and IPv6 stacks are enabled. Applications can talk to both stacks. IP version choice is based on name lookup and application preference. Popular operating systems support IPv6.
DESGN v2.05-32
www.CareerCert.info
Tunneling Mechanism
Encapsulates the IPv6 packet in the IPv4 packet. Techniques:

Manually configured Semiautomated Automatic
www.CareerCert.info
Translation Mechanism
DESGN v2.05-34
www.CareerCert.info
Summary
Key components of an IPv4 addressing scheme include IP address structure, address classes, subnetting, and masking. Well-designed hierarchical IP addressing enables efficient aggregation of routing advertisements, which consumes less bandwidth and router CPU. Dynamic IP address assignment is a recommended practice in the enterprise. Dynamic name resolution with a DNS server is a recommended practice in the enterprise. IPv6 was designed as a successor to IPv4 to overcome IPv4 limitations. The IPv6 address structure and address types support a much larger address space than IPv4. IPv6 supports two address types: link-local and global aggregatable.
DESGN v2.05-35
www.CareerCert.info
DESGN v2.05-36
www.CareerCert.info
Reviewing Enterprise Routing Protocols
DESGN v2.05-1
www.CareerCert.info
Distance Vector and Link-State Comparison

Distance vector protocol characteristics:
Slow convergence Easy implementation and maintenance Limited scalability
Link-state protocol characteristics:

Fast convergence Good scalability Less routing traffic overhead More knowledge needed for implementation and maintenance
DESGN v2.05-2
www.CareerCert.info
Example: Distance Vector Routing
Routing updates are periodic:

Include whole routing tables Use gratuitous updates (except RIPv2)
www.CareerCert.info
Example: Link-State Routing
Triggered updates:
Include data on link states of changing links Use multicast propagation
www.CareerCert.info
Interior vs. Exterior Routing Protocols

Interior Gateway Protocols (IGPs):
Routing inside autonomous systems Fast convergence and easy configuration Low administrator influence on routing decisions
Exterior gateway protocols (EGPs):

Routing between autonomous systems Slow convergence and more complex configuration High administrator influence on routing decisions
DESGN v2.05-5
www.CareerCert.info
Example: Interior vs. Exterior Routing Protocols
DESGN v2.05-6
www.CareerCert.info
Hierarchical vs. Flat Routing Protocols

Flat routing protocols propagate all routing information throughout the network: Classful routing protocols Not appropriate for large networks RIPv1, IGRP, RIPv2 (classless) Hierarchical routing protocols divide large networks into smaller areas: Classless routing protocols Limited route propagation between areas EIGRP, OSPF, IS-IS
DESGN v2.05-7
www.CareerCert.info
Example: Flat and Hierarchical Networks
Comparing flat and hierarchical networks:

Hierarchical structure means less routing traffic overhead. Summarization is the key.
www.CareerCert.info
Routing Protocol Convergence

A converged network is a stable network with all needed routing information. Network convergence takes place: Initially on network startup On topological changes Enterprise routing protocols should have short convergence times.
DESGN v2.05-9
www.CareerCert.info
Routing Protocol Convergence Comparison
Protocol RIP EIGRP OSPF
Convergence Time to Router E Holddown + 1 or 2 update intervals Matter of seconds Matter of seconds
DESGN v2.05-10
www.CareerCert.info
Enhanced IGRP (EIGRP)
Advanced distance vector protocol based on IGRP with some link-state protocol features Supports VLSM
DESGN v2.05-11
www.CareerCert.info
EIGRP Characteristics
EIGRP Characteristics Fast convergence Improved scalability Use of VLSM Reduced bandwidth usage Multiple network layer protocol support Implemented By Diffusing Update Algorithm (DUAL) Manual summarization, fast convergence Subnet mask in updates No periodic updates IPv4, IPv6 (Protocol Dependent Modules for IPX, AppleTalk)
DESGN v2.05-12
www.CareerCert.info
Open Shortest Path First (OSPF)

Developed in 1988 by IETF, version 2 is described in RFC 2328. OSPF was devised for use in large, scalable networks where RIP failed: Improved speed of convergence Network reachability (no hop-count limitations) Support for VLSM Improved path calculation
DESGN v2.05-13
www.CareerCert.info
Example: OSPF Multiarea Network
DESGN v2.05-14
www.CareerCert.info
OSPF Characteristics
OSPF Characteristics Fast convergence Very good scalability Use of VLSM Reduced bandwidth usage Implemented By Link-state updates (triggered), SPF calculation Multiple-area design Subnet mask in updates No periodic updates
DESGN v2.05-15
www.CareerCert.info
Integrated IS-IS
Link-state protocol Supports IPv4, IPv6, and OSI CLNP Support for VLSM Based on Level 2 backbone to which Level 1 areas are attached Typically deployed in service provider environments, with enterprise network administrators having limited knowledge of IS-IS
DESGN v2.05-16
www.CareerCert.info
Border Gateway Protocol (BGP)

BGP is an exterior gateway protocol (EGP) used in Internet routing. BGP is a path vector protocol with enhancements: Suited for strategic routing policies used between autonomous systems Allows administrators to adjust parameters to influence routing
DESGN v2.05-17
www.CareerCert.info
BGP Network Implementation
BGP is primarily used for inter-AS system routing.

www.CareerCert.info
Internal BGP
BGP can run between routers within one autonomous system. IBGP neighbors need not be directly connected (use static routes or an IGP to convey reachability information). Other IBGP uses: Intra-autonomous system policy implementations QoS Policy Propagation on BGP (QPPB) MPLS VPNs (using multiprotocol IBGP)
DESGN v2.05-19
www.CareerCert.info
Recommended Enterprise Routing Protocol Comparison

Enterprise Characteristics Fast convergence Very good scalability Use of VLSM Multiple network layer protocol support Mixed vendor devices EIGRP Yes Yes Yes Yes No OSPF Yes Yes Yes No Yes
DESGN v2.05-20
www.CareerCert.info
Summary
Protocols with hierarchical and link-state attributes support the fastest network convergence. EIGRP and OSPF are the recommend IGPs for the enterprise. EIGRP is a Cisco proprietary protocol for routing IPv4, IPv6, IPX, and AppleTalk traffic. OSPF is a standardized protocol for routing IPv4, developed to replace RIP in larger, more diverse media networks. It also can support IPv6. BGP is a representative EGP. It is primarily used to interconnect autonomous systems or to connect enterprises to an ISP.
DESGN v2.05-21
www.CareerCert.info
DESGN v2.05-22
www.CareerCert.info
Designing a Routing Protocol Deployment
DESGN v2.05-1
www.CareerCert.info
Routing Protocols in the Enterprise Architecture
DESGN v2.05-2
www.CareerCert.info
Route Redistribution
Redistribution on routing protocols and domain boundaries occurs on the router.
DESGN v2.05-3
www.CareerCert.info
Route Redistribution Direction

Redistribution of routing protocols (boundary router) One-way redistribution in one direction (for example, from enterprise edge to campus core) Two-way redistribution in both directions
DESGN v2.05-4
www.CareerCert.info
Route Redistribution in the Enterprise Network

Redistribution: From selected building access protocols Between campus core and WAN routers From static routes to enterprise IGP Static routes or BGP routes into enterprise IGP
DESGN v2.05-5
www.CareerCert.info
Route Filtering
Filtering upon redistribution: Avoids routing loops Avoids suboptimal routing Prevents certain routes from entering routing domain
DESGN v2.05-6
www.CareerCert.info
Route Summarization
DESGN v2.05-7
www.CareerCert.info
Route Summarization
DESGN v2.05-8
www.CareerCert.info
Recommended Practice: Summarize at the Distribution Layer

It is important to force summarization at the distribution layer toward the core. After link failure, for return path traffic, an OSPF or EIGRP reroute is required.
DESGN v2.05-9
www.CareerCert.info

It is important to force summarization at the distribution layer toward the core. After link failure, for return path traffic, an OSPF or EIGRP reroute is required. Summaries limit the number of peers an EIGRP router must query or the number of LSAs an OSPF peer must process.
DESGN v2.05-10
www.CareerCert.info

It is important to force summarization at the distribution layer toward the core. After link failure, for return path traffic, an OSPF or EIGRP reroute is required. Summaries limit the number of peers an EIGRP router must query or the number of LSAs an OSPF peer must process. Summaries allow faster reroutes.
DESGN v2.05-11
www.CareerCert.info
Recommended Practice: Passive Interfaces for IGP at Access Layer
Limit unnecessary peering Without passive interface: With four VLANs per wiring closet 12 adjacencies total Memory and CPU requirements increased with no real benefit Creates overhead for IGP
www.CareerCert.info
Summary
Large networks may implement multiple protocols for different modules of the Cisco Enterprise Architecture. Advanced routing features such as redistribution, filtering, and summarization allow multiple routing protocols to coexist and provide greater scalability. Redistribution between different routing protocols passes routing knowledge from one protocol to another. Route filtering prevents advertisement of certain routes through the routing domain. Route summarization and an IP hierarchy reduce routing traffic and unnecessary route recomputation.
DESGN v2.05-13
www.CareerCert.info
DESGN v2.05-14
www.CareerCert.info
IP Addressing and Routing Review

Define the IP addressing requirements. Develop a hierarchical IP addressing plan: Use private addresses inside organization. Use public addresses facing the Internet. Use NAT or PAT for translation as needed. Develop a plan for deploying DHCP and DNS. Use EIGRP or OSPF, based on organizational requirements. Implement recommended practices, including redistribution, filtering, and summarization.
DESGN v2.05-78
www.CareerCert.info
Module Summary
IP address structure and IP address types have a large impact on the address plan for both IPv4 and IPv6. EIGRP and OSPF are the recommended IGPs for the enterprise. Advanced routing features such as redistribution, filtering, and summarization support scalability and multiple routing protocols.
DESGN v2.05-79
www.CareerCert.info
DESGN v2.05-80
www.CareerCert.info
Evaluating Security Solutions for the Network
DESGN v2.06-1
www.CareerCert.info
Defining Network Security
DESGN v2.06-1
www.CareerCert.info
Reasons for Network Security

Defend against attacks Prevent unauthorized access Prevent data misuse and theft Comply with security legislation Comply with industry standards Comply with company policy
DESGN v2.06-2
www.CareerCert.info
Example: Legislation and Directives

Legislation and industry directives that may affect organizational security include:
GLBAThe Gramm-Leach-Bliley Act HIPAAHealth Insurance Portability and Accountability Act EU data protection Directive 95/46/EC SOXSarbanesOxley Act PCI DSSPayment Card Industry Data Security Standard
DESGN v2.06-3
www.CareerCert.info
Threats and Risks
DESGN v2.06-4
www.CareerCert.info
Reconnaissance and Vulnerability Scanning

Determine active targets Determine running network services Determine operating system platform Find trust relationships Check for proper file permissions Identify user account information Port-scanning tools include:
Nmap NetStumbler SuperScan Kismet
DESGN v2.06-5
www.CareerCert.info
Example: NMAP Screen
DESGN v2.06-6
www.CareerCert.info
Vulnerability Assessment
Active (sending packets) or passive (sniffer) Published vulnerability information
CERT/CC MITRE Microsoft Cisco security notices
Reconnaissance tools
Nessus MBSA SAINT
DESGN v2.06-7
www.CareerCert.info
Gaining System Access

Using knowledge of usernames and passwords Improper escalation of privilege Default administrative and service accounts Gaining access to other systems via trust relationships Using social engineering Physical access to information Psychological approach Cracking captured passwords
DESGN v2.06-8
www.CareerCert.info
Integrity and Confidentiality Threats
DESGN v2.06-9
www.CareerCert.info
Availability Threats (Denial of Service)
DESGN v2.06-10
www.CareerCert.info
Everything Is a Potential Target

Hosts are the preferred target for worms and viruses.
In the past year, large number of attacks targeted hosts. Compromised hosts are often used as attack launch points (botnets).
But there are other high-value alternative targets:

Infrastructure devices: routers, switches Support services: DHCP servers, DNS servers Endpoints: management stations, IP phones Infrastructure: network capacity Security devices: IDS and IPS
www.CareerCert.info
Network Security in the System Lifecycle

Business needs:
What does your organization want to do with the network?
Risk analysis:
What is the risk and cost balance?
Security policy:
What are the policies, standards, and guidelines to address business needs and risk?
Industry recommended practices:

What are the reliable, well-understood, and recommended security recommended practices?
Security operations:
What is the process for incident response, monitoring, maintenance, and compliance auditing of the system?
DESGN v2.06-12
www.CareerCert.info
What Is a Security Policy?

A security policy is a formal statement of the rules by which people who are given access to an organizations technology and information assets must abide.
RFC 2196, Site Security Handbook
DESGN v2.06-13
www.CareerCert.info
Why Is a Security Policy Needed?

Sets the framework for the security implementation
Defines organizational assets and the way to use them Defines and communicates roles Helps determine necessary tools and procedures Defines how to identify and handle security incidents
Creates a baseline of the current security posture

Defines allowed and not-allowed system behaviors Informs users of their responsibilities and ramifications of asset misuse Provides risk assessment and cost-benefit analysis
DESGN v2.06-14
www.CareerCert.info
Network Security and Risks
Network security can reduce risks to acceptable levels:

Risk assessment defines threats and their probability and severity. A network security policy enumerates risks relevant to the network and describes how risks will be controlled or managed. A network security design implements the security policy.
Justify security costs by the potential cost and inconvenience of incidents.

www.CareerCert.info
Risk Index Calculation

Risk Probability (P) (13) Severity (S) (13) Control (C) (13) Risk Index (P * S) / C (9)
1. 2. 3. 4.
DESGN v2.06-16
www.CareerCert.info
Example: Risk Index Calculation

Risk Probability (P) (13) 1 2 Severity (S) (13) 3 2 Control (C) (13) 2 1 Risk Index (P * S) / C (9) 1.5 4
1. Breach of confidentiality of customer database 2. DDoS attack sustained for more than 1 hour against e-commerce server
DESGN v2.06-17
www.CareerCert.info
Components of a Security Policy
DESGN v2.06-18
www.CareerCert.info
Network Security Is a Continuous Process

Secure
Identity and authentication Filtering and stateful inspection Encryption and VPNs
Monitor
Intrusion detection and response Content-based detection and response
Test
Security posture assessment Vulnerability scanning Patch verification and application auditing
Improve
Event and data analysis and reporting Network security intelligence
DESGN v2.06-19
www.CareerCert.info
Integrate Security Design and Network Design

Security services can reside inside network infrastructure. Security design coupled with network design is far more manageable. Recommended practice: Integrate security and network design. Integrated security and network design requires coordination.
DESGN v2.06-20
www.CareerCert.info
Summary
Security services must provide adequate protection to conduct business in a relatively open environment. There are many types security threats and associated risks. Each device on the network, such as a host, router, or switch, is a potential security target. Network security is part of the system life cycle. Network security is a continuous process built around a security policy. Security design and network design should be integrated.
DESGN v2.06-21
www.CareerCert.info
DESGN v2.06-22
www.CareerCert.info
Understanding the Cisco Self-Defending Network
DESGN v2.06-1
www.CareerCert.info
Cisco Self-Defending Network

Efficient security management, control, and response
Advanced technologies and security services to: Protect critical assets Mitigate the effects of outbreaks Ensure privacy
Network as Platform
www.CareerCert.info
Network as Platform for Security

Cisco Integrated Services Routers Integrate Cisco IOS Firewall, VPN, and intrusion prevention system (IPS) services across the Cisco router portfolio Deploy new security features on existing routers using Cisco IOS Software Cisco NAC-enabled Cisco Catalyst Switches Denial-of-service (DoS) attack mitigation Integrated security service modules for high-performance threat protection and secure connectivity Man-in-the-middle attack mitigation Cisco Adaptive Security Appliances High-performance firewall, IPS, network antivirus, and IPsec/SSL VPN technologies all in one unified architecture Device consolidation to reduce overall deployment and operations costs and complexities Cisco NAC-enabled
DESGN v2.06-3
www.CareerCert.info
Self-Defending Network Phases
DESGN v2.06-4
www.CareerCert.info
Trust and Identity Management
DESGN v2.06-5
www.CareerCert.info
Trust Is the Root of Security

Trust is a relationship in which two (or more) network entities are allowed to communicate. Trust forms the root of all security policy decisions. Trust and risk are opposites; security is based on enforcing limitations to trust relationships. Trust relationships: Can be explicit or implied Can be inherited Can be abused
DESGN v2.06-6
www.CareerCert.info
Domains of Trust
Question: From a security design perspective, what is the key difference between Case 1 and Case 2?
DESGN v2.06-7
www.CareerCert.info
Domains of Trust
Question: From a security design perspective, what is the key difference between Case 1 and Case 2? Answer: Case 2 is more segmented into domains of trust.
www.CareerCert.info
Example: Domains of Trust
Domains Private to Public
Gradient Extreme (high risk) Minor (low risk) Steep (considerable risk)
Safeguards Needed Advanced firewalling, flow-based inspection, misuse detection (IPS), constant monitoring Basic access control, casual monitoring Communication security, authentication, confidentiality, integrity concerns
Production to Lab Headquarters to Branch
DESGN v2.06-9
www.CareerCert.info
Identity
Identity is the who of a trust relationship. The identity of a network entity is verified by credentials.
Both people and devices can be authenticated. Three authentication attributes: Something you know Something you have Something you are Common approaches to identity: Passwords Tokens Certificates
DESGN v2.06-10
www.CareerCert.info
Passwords
Correlates an authorized user with network resources
DESGN v2.06-11
www.CareerCert.info
Tokens
Strong (two-factor) authentication based on something you know and something you have
DESGN v2.06-12
www.CareerCert.info
Access Control in Networks

Confidentiality and integrity are traditionally supported through access control. Access control enforces rules about which entities can access which resources. Network access control is based on: Authentication, which establishes the identity of the subject Authorization, which defines what a subject can do in a network Audit trails and real-time monitoring provide accounting and security auditing information.
DESGN v2.06-13
www.CareerCert.info
Example: Trust and Identity Management Technologies

Access control lists (ACLs) Firewalls Stateful inspection Application inspection Network Admission Control (NAC) NAC Framework Cisco NAC Appliance IEEE 802.1X Cisco IBNS
DESGN v2.06-14
www.CareerCert.info
Firewall Filtering Using ACLs
DESGN v2.06-15
www.CareerCert.info
NAC Framework and Appliance

Two approaches for Network Admission Control (NAC)
NAC Framework
Sold through NACenabled products Integrated solution leveraging Cisco network and vendor products
Cisco NAC Appliance

Sold as virtual or integrated appliance Self-contained product integrates but does not rely on partners
NAC Infrastructure
Offers customers a deployment time-frame choice Adapts to investment protection requirements of customer
DESGN v2.06-16
www.CareerCert.info
802.1X Protocol
DESGN v2.06-17
www.CareerCert.info
Identity and Access Control Deployment Locations
Authenticate at edge. Deploy ACLs based on policy. Practice defense in depth.
DESGN v2.06-18
www.CareerCert.info
Threat Defense
Enhances security in the existing network infrastructure Protects businesses from operation disruption, lost revenue, and loss of reputation. Adds comprehensive security on network endpoints Cisco Security Agent provides endpoint protection. Adds dedicated security technologies to networking devices and appliances Security technologies are implemented throughout the network.
DESGN v2.06-19
www.CareerCert.info
Physical Security
DESGN v2.06-20
www.CareerCert.info
Physical Security Guidelines

Deploy adequate physical access control. Evaluate whether physical access can compromise other security features. Identify additional security issues resulting from device theft. Protect communications over infrastructure out of your control using cryptography.
DESGN v2.06-21
www.CareerCert.info
Infrastructure Protection
The measures taken to preserve the integrity and availability of the network infrastructure as a transport and service entity Goals: That the network devices are not accessed or altered in an unauthorized manner That the end-to-end network transport and any integrated services remain available Policy enforcement technologies can help preserve, directly, the integrity and availability of the network.
DESGN v2.06-22
www.CareerCert.info
Infrastructure Protection Deployment Locations

Deploy on all network infrastructure devices Different mechanisms are used on different platforms, but typically there are equivalent functions available. More advanced mechanisms are available mainly on higher-end platforms. Implement throughout the network
DESGN v2.06-23
www.CareerCert.info
Recommended Practices for Infrastructure Protection

Use SSH to access devices. Enable AAA and role-based access control for access to all network devices. Collect and archive syslog information. Use SNMPv3. Disable unused services. Use SFTP (SSH FTP) or SCP and avoid FTP and TFTP. Install vty access lists to limit access to management and CLI services. Enable control plane protocol authentication. Consider one-step lockdown in SDM for basic router security.
DESGN v2.06-24
www.CareerCert.info
Threat Detection and Mitigation

Provide early detection and notification of unpredicted malicious traffic or behavior. Goals: To detect, notify of, and help stop an event or traffic that is unauthorized and unpredicted To help preserve the availability of the network, particularly against unknown or unforeseen attacks Technologies include: Endpoint protection Infection containment Intrusion and anomaly detection Application security and anti-X defense
www.CareerCert.info
Example: Threat Detection and Mitigation Technologies

Network-based intrusion prevention systems (NIPS) Adaptive security appliance (ASA) IPS sensor applicance Cisco IOS IPS Host-based intrusion prevention systems (HIPS) Cisco Security Agent NetFlow Syslog Event correlation systems Cisco Security Monitoring, Analysis, and Response System (MARS) Cisco Traffic Anomaly Detector Module
www.CareerCert.info
Threat Detection and Mitigation Solutions Deployment Locations
DESGN v2.06-27
www.CareerCert.info
Secure Connectivity
DESGN v2.06-28
www.CareerCert.info
Encryption Fundamentals
A method of protecting the confidentiality of data Uses keys to encrypt the data and decrypt it at a later time
DESGN v2.06-29
www.CareerCert.info
Encryption Keys
Shared secrets:
Secret key is carried out of band to the remote side. Easiest mechanism, but it has inherent security concerns.
Public key infrastructure (PKI):

Uses asymmetric cryptography in which the encryption key is different from the decryption key Lets you publish the encryption key, while keeping the decryption key secret Widely used in e-commerce sites around the world
DESGN v2.06-30
www.CareerCert.info
VPN Protocols
IPsec (IP security)
Built directly on the IP layer (Protocol 50) Uses IKE and ESP Requires IPsec software on endpoints
SSL (Secure Socket Layer)

Built on top of the TCP layer (port 443) Provides confidentiality for web traffic (HTTPS) All major browsers can use SSL
DESGN v2.06-31
www.CareerCert.info
Transmission Confidentiality
DESGN v2.06-32
www.CareerCert.info
Transmission Confidentiality Guidelines

Evaluate the location for transmission confidentiality needs. Use the strongest available cryptography, performance permitting. Use well-known and established cryptographic algorithms. Do not focus on confidentiality alone; integrity and authenticity are also important.
DESGN v2.06-33
www.CareerCert.info
Data Integrity
DESGN v2.06-34
www.CareerCert.info
Data Integrity Guidelines

Evaluate the need for transmission integrity. Use the strongest available cryptography, performance permitting. Use well-known and established cryptographic algorithms.
DESGN v2.06-35
www.CareerCert.info
Security Management Overview

Security management does the following: Collects, analyzes, and presents data Provisions policies on security devices Maintains consistency and change control of policies Provides role-based access control and accounts for all user activity Security implementation is only as good as policies used. Biggest risk to security in a properly planned architecture is policy error.
DESGN v2.06-36
www.CareerCert.info
Security Management Solutions

Cisco Router and Security Device Manager (SDM) Cisco Adaptive Security Device Manager (ASDM) Cisco Intrusion Prevention System Device Manager (IDM) Management Center for Cisco Security Agents Cisco Secure Access Control Server (ACS) Cisco Security Manager Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS)
DESGN v2.06-37
www.CareerCert.info
Summary
The Cisco Self-Defending Network integrates security into the network to provide the network the ability to identify, prevent, and adapt to threats. Trust and identity management provide secure network access and admission at any point in the network and isolate and control infected or unpatched devices that attempt to access the network. Threat defense provides a strong defense against known and unknown attacks using security integrated in routers, switches, and appliances. Secure connectivity uses encryption and authentication to provide secure transport across untrusted networks. Security management is a framework for scalable policy administration and enforcement.
DESGN v2.06-38
www.CareerCert.info
DESGN v2.06-39
www.CareerCert.info
Selecting Network Security Solutions
DESGN v2.06-1
www.CareerCert.info
Network Devices Supporting Integrated Security

Cisoc IOS router security PIX security appliance Adaptive security appliance (ASA) VPN concentrator Intrusion prevention system Catalyst service modules Endpoint security
DESGN v2.06-2
www.CareerCert.info
Integrated Security for Cisco IOS Routers

Cisco IOS Firewall Stateful multiservice application-based filtering Cisco IOS IPS In-line deep-packet inspection Cisco IOS IPsec Data encryption at the IP packet level Cisco IOS trust and identity AAA PKI SSH SSL
DESGN v2.06-3
www.CareerCert.info
Example: Security Hardware Options for ISRs

Built-in VPN acceleration Voice security options High-performance AIM Cisco IDS Network Module Cisco Content Engine Module Cisco Network Analysis Module
DESGN v2.06-4
www.CareerCert.info
Security Appliances
VPN concentrator IPsec and SSL VPN support PIX security appliance Rich application and protocol inspection Integrated site-to-site and remote access VPNs ASA, a multifunction security appliance Stateful firewall of PIX appliance, plus Adaptive threat defense capabilities Application security Anti-X defenses IPS Advanced integration modules
www.CareerCert.info
Intrusion Prevention Systems

In line (IPS) or passive (IDS) Multivector threat identification Network speeds from multiple T1s to 1 Gbps IPS 4215 sensor protects up to 65 Mbps of traffic IPS 4240 sensor protects up to 250 Mbps of traffic IPS 4255 sensor protects up to 500 Mbps of traffic IPS 4260 sensor protects up to 1 Gbps of traffic
DESGN v2.06-6
www.CareerCert.info
Cisco Catalyst Service Modules

Cisco Firewall Services Module Cisco Intrusion Detection System Services Module Cisco SSL Services Module Cisco IPSec VPN SPA Cisco Traffic Anomaly Detector Module Cisco Anomaly Guard Module Cisco Network Analysis Module
DESGN v2.06-7
www.CareerCert.info
Cisco Security Agent

Spyware and adware protection Protection against buffer overflows Distributed firewall capabilities Malicious mobile code protection Operating-system integrity assurance Application inventory Audit log consolidation
DESGN v2.06-8
www.CareerCert.info
Securing the Enterprise Network

Embed Self-Defending Network features throughout the network in: The enterprise campus The enterprise data center The enterprise edge Use Self-Defending Network technologies, including: Identity and access control Threat defense Infrastructure protection Security management
DESGN v2.06-9
www.CareerCert.info
Deploying Security in the Enterprise CampusIdentity and Access Control

802.1X or NAC NAC appliance ACLs Firewall Stateful inspection Application inspection
DESGN v2.06-10
www.CareerCert.info
Deploying Security in the Enterprise CampusThreat Detection and Mitigation

NetFlow Syslog SNMP Host IPS (Cisco Security Agent) Network IPS Cisco Security MARS, Cisco Security Manager
DESGN v2.06-11
www.CareerCert.info
Deploying Security in the Enterprise Campus Infrastructure Protection

AAA SSH SNMPv3 IGP or EGP Message Digest 5 Layer 2 security features
DESGN v2.06-12
www.CareerCert.info
Deploying Security in the Enterprise CampusSummary

Identity and access control:
802.1x, NAC, ACLs, firewalls
Threat detection and mitigation:

NetFlow, syslog, SNMP, Cisco Security-MARS, Network IPS, Host IPS
Infrastructure protection:
AAA, SSH, SNMPv3, IGP or EGP MD5, Layer 2 security features
Security management
Cisco Security Manager, Cisco Security MARS
www.CareerCert.info
Deploying Security in the Enterprise Data Center Identity and Access Control
802.1X ACLs Firewalls
DESGN v2.06-14
www.CareerCert.info
Deploying Security in the Enterprise Data CenterThreat Detection and Mitigation

NetFlow Syslog SNMP Host IPS (Cisco Security Agent) Network IPS Cisco Security MARS, Cisco Security Manager
DESGN v2.06-15
www.CareerCert.info
Deploying Security in the Enterprise Data CenterInfrastructure Protection

AAA SNMPv3 SSH IGP or EGP MD5 Layer 2 security features
DESGN v2.06-16
www.CareerCert.info
Deploying Security in the Enterprise Data CenterSummary

802.1X, ACLs, firewalls

NetFlow, syslog, SNMP, Cisco SecurityMARS, Network IPS, Host IPS
AAA, SSH, SNMPv3, IGP or EGP MD5, Layer 2 security features
Security management
www.CareerCert.info
Deploying Security in the Enterprise EdgeIdentity and Access Control

ACLs Firewall IPSec or SSL VPN NAC appliance
DESGN v2.06-18
www.CareerCert.info
Deploying Security in the Enterprise EdgeThreat Detection and Mitigation

NetFlow Syslog SNMP IPS (host or network) Cisco Security MARS, Cisco Security Manager
DESGN v2.06-19
www.CareerCert.info
Deploying Security in the Enterprise EdgeInfrastructure Protection

SNMPv3 AAA SSH IGP or EGP MD5
DESGN v2.06-20
www.CareerCert.info
Deploying Security in the Enterprise Edge Summary

Firewalls, IPSec, SSL VPN, ACLs

NetFlow, syslog, SNMP, Cisco Security MARS, Network IPS, Host IPS
AAA, CoPP, SSH, RFC 2827, SNMPv3, IGP/EGP MD5
Security management
www.CareerCert.info
Summary
Cisco has integrated security features into the network devices, including ACLs, firewall support, VPNs, IPS, and event logging. The Cisco Self-Defending Network elements and Cisco network devices with integrated security are deployed throughout the enterprise network.
DESGN v2.06-22
www.CareerCert.info
DESGN v2.06-23
www.CareerCert.info
Security Design Review

Define the security requirements. Define the security policy. Integrate security in the network design: Implement trust and identity management to secure network access and admission. Deploy threat defense to provide a defense against known and unknown attacks. Use secure connectivity for encryption and authentication on untrusted networks. Deploy security management to scale policy administration and enforcement. Select locations to deploy appropriate Cisco Self-Defending Network elements and Cisco network devices.
www.CareerCert.info
Module Summary
Network security is a continuous process built around a security policy and integrated with network design. The Cisco Self-Defending Network is based on a secure network platform and uses trust and identity management, threat defense, and secure connectivity to integrate security into the network. Cisco Self-Defending Network elements and Cisco network devices with integrated security are deployed throughout the enterprise network.
DESGN v2.06-2
www.CareerCert.info
DESGN v2.06-3
www.CareerCert.info
DESGN v2.07-1
www.CareerCert.info
Reviewing Traditional Voice Architectures and Features
DESGN v2.07-4
www.CareerCert.info
Analog-to-Digital Conversion
Steps for converting analog signal to digital format:

Filtering Sampling Digitizing Quantization and coding Companding (a-law, mu-law)
www.CareerCert.info
PBXs and Switches

PBX:
Used in private sector Scales to n * 1000 phones Mostly digital Uses 64-kbps circuits Uses proprietary protocols to control phones Interconnects remote branch subsystems and telephones
PSTN switch:
Used in public sector Scales to n * 100,000 phones Mostly digital Uses 64-kbps circuits Uses open-standard protocols between switches and phones Interconnects with other PSTN switches, PBXs, and telephones
DESGN v2.07-6
www.CareerCert.info
Example: PBXs and PSTN Switches
DESGN v2.07-7
www.CareerCert.info
PBX Features
PBX features:
Call holding Transferring Forwarding Parking Conferencing Music on hold Call history Voice mail
PBX can connect to PSTN through T1 or E1

www.CareerCert.info
PSTN Switch
DESGN v2.07-9
www.CareerCert.info
Local Loops, Trunks, and Interoffice Communications
DESGN v2.07-10
www.CareerCert.info
Foreign Exchange Trunks

Foreign Exchange Office (FXO):
Emulates a phone Connects to a station port of a PBX or to the PSTN switch
Foreign Exchange Station (FXS):

Emulates a PBX Provides connections for standard phones and fax machines
DESGN v2.07-11
www.CareerCert.info
Basic Telephony Signaling

Local-loop signaling:
Telephone to switch
Trunk signaling:
Switch to switch PBX to switch PBX to PBX
Basic categories:
Supervision signaling Address signaling Informational signaling
DESGN v2.07-12
www.CareerCert.info
Analog Signaling on a PBX

Local-loop signaling:
Loop start: The simplest For subscriber loops Occurrences of glare Ground start: Modification of loop start More intelligent For PBX loops Minimizes glare
Trunk signaling:
E&M (recEive and transMit): Between PBXs Five types of signaling Separate paths for voice and signaling
DESGN v2.07-13
www.CareerCert.info
CAS and CCS Signaling

Channel associated signaling:
Signal for call setup in the same channel as a voice call Examples: T1 or E1 signaling DTMF
Common channel signaling:

Messages for call setup Examples: ISDN DPNSS QSIG SS7
DESGN v2.07-14
www.CareerCert.info
ISDN Digital Signaling

Channel B D Capacity 64 kbps 16/64 kbps Mostly Used For Circuit-switched data Signaling information
DESGN v2.07-15
www.CareerCert.info
Q Signaling
Standards-based protocol for inter-PBX communications Enables interconnection of multivendor equipment Enables basic services and feature transparency between PBXs Is interoperable with public and private ISDNs Does not impose any restrictions on private numbering plans
DESGN v2.07-16
www.CareerCert.info
SS7 Signaling
Used between PSTN switches Signaling implemented on a separate data network Trunk channels used solely for voice transmission Replaces per-trunk in-band signaling
DESGN v2.07-17
www.CareerCert.info
PSTN Numbering Plans

Set of rules for routing voice calls through the PSTN Based on the ITU-T recommendation E.164 Example: North American Numbering Plan (NANP)
DESGN v2.07-18
www.CareerCert.info
Example Country Codes

Country Zone Code 1 1242 1787 1876 20 212 213 30 34 386 44 45 1 1 1 1 2 2 2 3 3 3 4 4 Country Canada, United States Bahamas Puerto Rico Jamaica Egypt Morocco Nigeria Greece Spain Slovenia United Kingdom Denmark Country Zone Code 51 52 61 63 679 7 81 86 886 91 966 995 5 5 6 6 6 7 8 8 8 9 9 9 Country Peru Mexico Australia Philippines Fiji Islands Kazakhstan, Russia Japan China Taiwan India Saudia Arabia Georgia
DESGN v2.07-19
www.CareerCert.info
Example: Routing Calls Based on a Numbering Plan
DESGN v2.07-20
www.CareerCert.info
DESGN v2.07-21
www.CareerCert.info
DESGN v2.07-22
www.CareerCert.info
DESGN v2.07-23
www.CareerCert.info
DESGN v2.07-24
www.CareerCert.info
DESGN v2.07-25
www.CareerCert.info
DESGN v2.07-26
www.CareerCert.info
DESGN v2.07-27
www.CareerCert.info
Portion of UK National Numbering Plan

Number Range (01xxx) xxx xxx (01xxx) xxx xxx (01x1) xxx xxxxx (011x) xxx xxxxx (02x) xxxx xxxx (01xxx[x]) xxxx[x] (05x) xxxx xxxx (07xxx) xxxxxx (0800) xxx xxx (0800) xxx xxxx (0808) xxx xxxx 999 112 Description Trunk prefix (national long-distance calling prefix)
Geographic numbering optionsarea code and subscriber number
Mobile phones, pagers, and personal numbering Reserved for corporate numbering. Freephone (except for mobile phone)
Free emergency number
DESGN v2.07-28
www.CareerCert.info
Summary
A telephone system transports analog speech over a digital network. PBXs and public telephone switches share many similarities, but they also have differences. The telephone infrastructure includes local loops and trunks. In a telephony system, a signaling mechanism is required to establish and disconnect telephone communications. Each telephone must have a unique address based on the E.164 standard.
DESGN v2.07-29
www.CareerCert.info
DESGN v2.07-30
www.CareerCert.info
Identifying Design Considerations for Voice Services
DESGN v2.07-1
www.CareerCert.info
Separate Voice and Data Networks
Companies want to reduce WAN costs by integration. Data is primary traffic on many voice networks. PSTN architecture is not flexible enough. PSTN can not integrate voice, data, and video.
DESGN v2.07-2
www.CareerCert.info
Example: Voice over IP
DESGN v2.07-3
www.CareerCert.info
Example: IP Telephony
DESGN v2.07-4
www.CareerCert.info
Introducing H.323
ITU-T standard Describes packet-based video, audio, and data communication across packet-based networks Provides session setup, monitoring, and termination Refers to a set of other standards: H.225 (Q.931): Call signaling H.245: Capability negotiation and media stream management
DESGN v2.07-5
www.CareerCert.info
H.323 Components
DESGN v2.07-6
www.CareerCert.info
Example: H.323 Components and Their Interactions
DESGN v2.07-7
www.CareerCert.info
The Importance of a Gatekeeper
DESGN v2.07-8
www.CareerCert.info
IP Telephony Components
DESGN v2.07-9
www.CareerCert.info
Design Goals of IP Telephony

To use end-to-end IP telephony between sites with IP connectivity To make IP telephony widely usable To lower long-distance costs To make IP telephony cost-effective To provide high availability of IP telephony To offer lower total cost of ownership and greater flexibility To enable new applications on top of IP telephony via third-party software To improve remote worker, agent, and work-at-home staff productivity To facilitate data and telephony network consolidation
DESGN v2.07-10
www.CareerCert.info
Single-Site IP Telephony Design
DESGN v2.07-11
www.CareerCert.info
Multisite WAN with Centralized Call Processing Design
DESGN v2.07-12
www.CareerCert.info
Multisite WAN with Distributed Call Processing Design
DESGN v2.07-13
www.CareerCert.info
Call Control and Transport Protocols

Voice call control functions: Q.931 call setup signaling H.245 call capability control RAS signaling RTP Control Protocol (RTCP) Voice conversation: Real-Time Transport Protocol (RTP)
DESGN v2.07-14
www.CareerCert.info
SCCP Control
SCCP is a client-server protocol. SCCP clients register with Cisco Unified CallManager to receive their configuration information. Media connections between SCCP clients use RTP.
DESGN v2.07-15
www.CareerCert.info
SIP Control
SIP is a peer-to-peer protocol. SIP user agents communicate with SIP proxy server. SIP phones can register with Cisco Unified CallManager.
DESGN v2.07-16
www.CareerCert.info
MGCP Control
MGCP is a client-server protocol. MGCP gateway translates between endpoints and IP phones. Call agents control MGCP endpoints.
DESGN v2.07-17
www.CareerCert.info
Summary
Business needs are driving the need for unified voice and data networks not on the PSTN. The H.323 standard is a foundation for audio, video, and data communications across IP-based networks, including the Internet. IP telephony refers to communication services and voice, facsimile, and voice-messaging applications that are transported via the IP network rather than the PSTN. Voice communication over IP relies on control protocols such as H.323, SCCP, SIP, and MGCP.
DESGN v2.07-18
www.CareerCert.info
DESGN v2.07-19
www.CareerCert.info
Identifying the Requirements of Voice Technologies
DESGN v2.07-1
www.CareerCert.info
Voice Quality Considerations

Examine the possible causes of packet loss and delay in the initial design. Use QoS mechanisms as a groundwork for a high-quality voice network.
DESGN v2.07-2
www.CareerCert.info
Fixed Network Delay Considerations

Sources of delay:
Propagation delay: 6 ms per km Serialization delay: frame length / bit rate Processing delay: depends on codec Coding and compression Packetization
Solutions:
None Faster link, smaller packets Hardware DSPs, coding algorithm
DESGN v2.07-3
www.CareerCert.info
Variable Network Delay Considerations

Sources of delay:
Queuing delay (variable packet sizes and number of packets) Dejitter buffers
Solutions:
Link fragmentation and interleaving Constant delay, uncongested network
DESGN v2.07-4
www.CareerCert.info
Jitter
Variation in the delay of received packets Caused by network congestion, improper queuing, or configuration errors
DESGN v2.07-5
www.CareerCert.info
Packet Loss
Causes voice clipping Caused by: Congested links Improper network QoS configuration Bad packet buffer management on the routers Routing problems Up to 30 ms of lost voice correctable by DSP using interpolation Packet losses up to one packet correctable with no voice quality degradation
DESGN v2.07-6
www.CareerCert.info
Problem of Echo
DESGN v2.07-7
www.CareerCert.info
Echo Cancellers Reduce the Level of Echo
DESGN v2.07-8
www.CareerCert.info
Voice Coding and Compression

The quality of transmitted speech is a subjective listener response. MOS is a common benchmark to define sound quality. MOS scales from 1 (bad) to 5 (excellent).
ITU Standard PCM ADPCM LD-CELP CS-ACELP ACELP/MPMLQ G.711 G.726/G.727 G.728 G.729 G.723.1 Data Rate* 64 kbps 16/24/32/40 kbps 16 kbps 8 kbps 6.3/5.3 kbps MOS Score 4.1 3.85 or less 3.61 3.92 3.9/3.65
*Note: Data rates shown are for digitized speech only and do not include overhead of RTP, UDP, IP, and Layer 2 headers.
DESGN v2.07-9
www.CareerCert.info
Example: Codec Complexity and Calls per DSP on the Cisco AS54-PVDM2-64 Module
Low Complexity (Maximum 64 Calls) G.711 a-law G.711 mu-law Fax passthrough Modem passthrough Clear-channel codec
Medium Complexity (Maximum 32 Calls) G.729a G.729ab G.726: 16K, 24K, and 32K T.38 fax relay Cisco Fax Relay
High Complexity (Maximum 24 Calls) G.723.1: 5.3K and 6.3K G.723.1A: 5.3K and 6.3K G.728 Modem relay AMR-NB: 75K, 5.15K, 5.9K, 6.7K, 7.4K, 7.95K, 10.2K, 12.2K, and silence insertion descriptor
DESGN v2.07-10
www.CareerCert.info
Bandwidth Availability
Goal: Reduce the amount of traffic per voice call Solutions: Use an effective voice coding and compression mechanism. Compress IP headers by using compressed Real-Time Transport Protocol. Suppress packets of silence by using voice activity detection.
DESGN v2.07-11
www.CareerCert.info
Calculating Voice Bandwidth

Voice packet size = (Layer 2 header) + (IP/UDP/RTP header) + voice payload Voice packets per second (pps) = (codec bit rate) / (voice payload size) Bandwidth = (voice packet size) * (pps) Example for G.729 call with 8-kbps codec bit rate with cRTP and 20 bytes voice payload: Voice packet size = 6 bytes + 2 bytes + 20 bytes = 28 bytes Voice packet size = 28 bytes * 8 bits/byte = 244 bits Voice pps = 8000 bits/sec / 160 bits/packet = 50 pps Bandwidth = 244 bits * 50 pps = 11.2 kbps
DESGN v2.07-12
www.CareerCert.info
Example: Voice Codec Bandwidth Calculator for G.729 Codec
DESGN v2.07-13
www.CareerCert.info
Voice Bandwidth and Codec Standards

Compression Payload Size Bandwidth Bandwidth with cRTP No. of Calls on a 512-kbps Link (without cRTP/ with cRTP) 6/7 8/14 9/17 14/26 19/46 28/64 30/73
G.711 (64 kbps) G.726 (32 kbps) G.726 (24 kbps) G.728 (16 kbps) G.729 (8 kbps) G.723.1 (6.3 kbps) G.723.1 (5.3 kbps)
160 60 40 40 20 24 20
83 57 52 35 26 18 17
68 36 29 19 11 8 7
DESGN v2.07-14
www.CareerCert.info
Enterprise QoS Mechanisms for Voice

Traffic classification Queuing or scheduling Bandwidth provisioning and call admission control
DESGN v2.07-15
www.CareerCert.info
Access Layer QoS Mechanisms for Voice

802.1Q trunking and 802.1p Multiple egress queues Traffic classification and network trust boundary Layer 3 awareness and the ability to implement QoS access control lists
DESGN v2.07-16
www.CareerCert.info
Recommended Practice: Separate Voice and Data VLANs

Voice device protection from external networks QoS trust boundary extension to voice devices Protection from malicious network attacks Ease of management and configuration
DESGN v2.07-17
www.CareerCert.info
Example: QoS Networking Mechanisms
DESGN v2.07-18
www.CareerCert.info
Example: Low Latency Queuing
DESGN v2.07-19
www.CareerCert.info
QoS Consideration for Voice in the WAN

WAN QoS mechanisms:
Bandwidth provisioning Traffic classification Queuing and scheduling Traffic shaping Link efficiency techniques Call admission control
DESGN v2.07-20
www.CareerCert.info
Call Admission Control

Protects voice traffic from being negatively affected by other voice traffic Keeps excess voice traffic off the network Reroutes excess voice traffic in the following scenarios: Call rerouted via an alternate packet network path Call rerouted via the PSTN network path Call returned to the originating TDM switch with the reject cause code
DESGN v2.07-21
www.CareerCert.info
Example: Call Admission Control

VoIP Network Without CAC
VoIP Network with CAC
DESGN v2.07-22
www.CareerCert.info
Implementing CAC with RSVP

RSVP is an industry-standard signaling protocol that enables an application to reserve bandwidth dynamically. RSVP signaling messages are exchanged between the source and destination devices. RSVP process interacts with the QoS manager on router interfaces to "reserve" bandwidth resources. Calls are admitted or rejected based on the outcome of the RSVP reservations.
DESGN v2.07-23
www.CareerCert.info
Traffic Engineering Terms

Grade of service Erlang Centum call seconds Busy hour Busy hour traffic Blocking probability Call Detail Record
DESGN v2.07-24
www.CareerCert.info
Erlang Tables
Show erlangs of offered traffic, number of circuits, and grade of service Three common erlang tables: Erlang B assumes that calls receiving a busy signal are immediately cleared. Extended Erlang B assumes that a certain percentage of calls receiving a busy signal are redialed. Erlang C assumes that blocked calls are queued.
DESGN v2.07-25
www.CareerCert.info
Example: Erlang B Table

Number of erlangs decreases with the decreased blocking probability. Number of erlangs increases with the number of simultaneous connections.
Blocking Probability Number of Circuits 1 2 3 4 5 6 7 8 9 10 .003 .003 .081 .289 .602 .996 1.447 1.947 2.484 3.053 3.648 .005 .006 .106 .349 .702 1.132 1.822 2.158 2.730 3.333 3.961 .01 .011 .153 .456 .870 1.361 1.900 2.501 3.128 3.783 4.462 .02 .021 .224 .603 1.093 1.658 2.278 2.936 3.627 4.345 5.084 .03 0.31 0.282 0.716 1.259 1.876 2.543 3.250 3.987 4.748 5.530 .05 0.053 .382 .900 1.525 2.219 2.961 3.738 4.543 5.371 6.216
Busy hour traffic (BHT) in erlangs

www.CareerCert.info
Summary
Voice quality in an IP network is directly affected by delay, jitter, and packet loss. An echo is the audible leak of the voice of the caller into the receive (return) path. Voice communication over IP relies on voice that is coded and encapsulated into IP packets. A primary WAN issue when network designers are designing voice on IP networks is bandwidth availability. QoS mechanisms are important for networks that carry voice. Traffic engineering is a science of selecting the right number of lines and the proper types of service to accommodate users.
DESGN v2.07-27
www.CareerCert.info
DESGN v2.07-28
www.CareerCert.info
Integrating Voice in the Network Design

Define the requirements for voice services. Select an IP telephony design model based on the requirements. Implement voice support in the infrastructure: Select appropriate call control and transport protocols. Select appropriate coding and compression mechanisms. Provision needed bandwidth. Deploy VoIP components. Implement end-to-end QoS.
DESGN v2.07-1
www.CareerCert.info
Module Summary
New IP telephony solutions must integrate into existing environments and provide similar functionality. Business needs are driving the need for unified networks supporting unified communications networks. There are many issues that affect voice traffic, such as delay, jitter, packet loss, congestion, and slow-speed links. Compression techniques, LFI, and QoS mechanisms can alleviate many of these issues.
DESGN v2.07-2
www.CareerCert.info
DESGN v2.07-3
www.CareerCert.info
Identifying Wireless Networking Considerations
DESGN v2.08-1
www.CareerCert.info
Introducing the Cisco Unified Wireless Network
DESGN v2.08-1
www.CareerCert.info
Wireless LAN Background

WLANs provide network connectivity over radio waves. Wireless stations connect to wireless access points. Access points connect to the wired network. Access points were traditionally autonomous. Scaling the design and adding applications was challenging.
DESGN v2.08-2
www.CareerCert.info
Cisco Unified Wireless Network Elements
3d icon not available
Intelligent information network elements:

Mobility services Network management Network unification Access points Client devices
DESGN v2.08-3
www.CareerCert.info
Cisco Unified Wireless Network Split-MAC Operation
Access point MAC functions:

802.11: Beacons, probe response 802.11 control: Packet acknowledgment and transmission 802.11e: Frame queuing and packet prioritization 802.11i: MAC layer data encryption and decryption
Controller MAC functions:

802.11 MAC management: Association requests and actions 802.11e Resource reservation 802.11i Authentication and key management
DESGN v2.08-4
www.CareerCert.info
LWAPP Fundamentals
LWAPP is an IETF draft specification. Access points communicate with a WLC using LWAPP: LWAPP control messages are exchanged between a WLC and access points. LWAPP data messages encapsulate data frames. LWAPP tunnel can be Layer 2 or Layer 3. One WLC can manage multiple access points. The WLC supplies configuration and firmware updates to access points.
DESGN v2.08-5
www.CareerCert.info
Example: Layer 2 LWAPP Architecture
Access points do not require IP addressing. Controllers need to be on every subnet on which access points reside. Layer 2 LWAPP was an early part of the architecture; many current products do not support this functionality.
www.CareerCert.info
Example: Layer 3 LWAPP Architecture
Access points require IP addressing. Access points can communicate with a WLC across routed boundaries. Layer 3 LWAPP is more flexible than Layer 2 LWAPP; most current products support this LWAPP mode.
www.CareerCert.info
Access Point Modes

Local mode is the default mode of operation. REAP mode enables a remote access point across a WAN link to communicate with the WLC. Rogue detector mode allows the access point to monitor rogue access points but cannot contain rogue access points. Monitor mode allows the access points to act as dedicated sensors for IDS and supports deauthentication capability. Sniffer mode functions as a network sniffer and captures and forwards all the packets on a particular channel to a remote machine that runs AiroPeek. Bridge mode allows the Cisco Aironet 1030 (indoor) and 1500 (outdoor mesh) access points to support point-to-point and pointto-multipoint bridging.
DESGN v2.08-8
www.CareerCert.info
Wireless Infrastructure
Autonomous access point is an 802.1Q translational bridge. WLAN controller bridges client traffic centrally.
DESGN v2.08-9
www.CareerCert.info
Wireless Authentication
DESGN v2.08-10
www.CareerCert.info
Example: Supported EAP Types

EAP-Transport Layer Security (EAP-TLS)
Mutual client and server authentication using digital certificates
EAP-Protected EAP (EAP-PEAP)

Authentication of RADIUS server in TLS using digital certificate Authentication of client using EAP-GTC or EAP-MSCHAPv2
EAP Tunneled Transport Layer Security (EAP-TTLS)

Authentication of RADIUS server in TLS using server certificate Authentication of client using username and password
Cisco LEAP
Early EAP method supported in Cisco Compatible Extensions
Cisco EAP-FAST
Three-phase EAP method supported in Cisco Compatible Extensions
DESGN v2.08-11
www.CareerCert.info
Important WLAN Controller Components

Three important components to understand:
PortPhysical connection to a neighbor switch or router InterfaceLogical connection mapping to a VLAN on the wired network WLANLogical entity that maps an SSID to an interface at the controller, along with security, QoS, radio policies, and other wireless networking parameters
DESGN v2.08-12
www.CareerCert.info
Summary of WLC Interfaces

Management interfaceIs used for in-band management, connectivity to AAA and other enterprise services, and for Layer 2 access point auto discovery and association AP-manager interfaceIs the source IP address used for access point-to-controller communication and Layer 3 access point autodiscovery and association Dynamic interfaceIs designated for WLAN client data and analogous to a VLAN Virtual interfaceSupports DHCP relay, Layer 3 security authentication, and mobility management Service-port interfaceProvides out-of-band management of the controller
DESGN v2.08-13
www.CareerCert.info
Example: WLANs, Interfaces, and Ports
DESGN v2.08-14
www.CareerCert.info
Cisco Wireless LAN Controller Platforms

Platform Cisco 2000 Series Wireless LAN Controller Cisco Wireless LAN Controller Module for ISRs Cisco Catalyst 3750G Integrated Wireless LAN Controller Cisco 4400 Series Wireless LAN Controller Cisco Catalyst 6500 Series Wireless Services Module Number of Access Points Supported 6
Up to 50
Up to 100
Up to 300
Note: The number of access points supported may change as products are updated. Check www.cisco.com for the latest information.
DESGN v2.08-15
www.CareerCert.info
Access Point Scalability Considerations

4400x series controllers allow 48 access points per port in the absence of link aggregation. Two options for scaling are: Multiple AP manager interfaces (supported only on 4400x appliance controllers). Link aggregation (supported on 4400x appliances, Cisco WiSM, Cisco 3750G Integrated Wireless LAN Controller). With multiple AP manager interfaces, the LWAPP algorithm load-balance access points across the AP manager interfaces. With LAG, one AP manager interface load-balances traffic across an EtherChannel interface.
DESGN v2.08-16
www.CareerCert.info
Example: Multiple AP Manager Interfaces

Each AP manager interface is mapped to a physical port. Access point load is dynamically distributed. Redundancy advantage: Platform can be connected to multiple devices. Redundancy concern: Only 48 access-points are supported per port.
DESGN v2.08-17
www.CareerCert.info
Example: LAG with a Single AP Manager Interface

One LAG group per Cisco Wireless LAN Controller is supported. Packets are forwarded out the same port they arrived on. It is recommended that you use LAG if possible.
DESGN v2.08-18
www.CareerCert.info
Summary
The Cisco Unified Wireless Network architecture centralizes WLAN configuration and control on Cisco Wireless LAN Controllers. Cisco Wireless LAN Controllers manage access points using LWAPP. The Cisco Unified Wireless Network is based on devices connecting to access points using RF signals, access points sending client traffic to controllers across an LWAPP tunnel, and Cisco Wireless LAN Controllers placing the traffic in the appropriate VLAN in the wired network. Cisco Wireless LAN Controllers components include ports (physical connections), interfaces (logical mappings to a VLAN), and WLANs (logical mappings of an SSID to an interface). Cisco Wireless LAN Controller platforms can support 6 to 300 access points.
www.CareerCert.info
DESGN v2.08-20
www.CareerCert.info
Understanding Wireless Network Controller Technology
DESGN v2.08-1
www.CareerCert.info
LWAPP Discovery
1. The access point issues a DHCPDISCOVER to get an IP address. 2. If the access point supports Layer 2 LWAPP, attempt Layer 2 discovery. 3. Else, attempt Layer 3 LWAPP discovery. 4. If no WLC response, then access point reboots and returns to Step 1.
www.CareerCert.info
Layer 3 LWAPP Discovery Algorithm

Access point sends Layer 3 LWAPP discovery requests: 1. As broadcasts on local subnet 2. As unicast LWAPP discovery requests to WLC IP addresses advertised by other access points, if OTAP enabled on the WLCs 3. To all previously stored WLC IP addresses 4. To IP addresses learned through DHCP Option 43 5. To IP addresses learned through DNS resolution of CISCO-LWAPP-CONTROLLER.localdomain WLCs receiving the discovery message reply with a unicast LWAPP discovery response message. Access point compiles a list of candidate controllers.
DESGN v2.08-3
www.CareerCert.info
WLC Selection Algorithm

LWAPP discovery and selection mechanism is a design decision. LWAPP discovery response contains WLC information. After the LWAPP discovery interval timer, the access point selects a WLC to send an LWAPP join request based on: 1. Previously configured primary, secondary, or tertiary WLCs (specified in the controller sysName) 2. WLC configured as a master controller 3. WLC with the greatest capacity for access point associations The WLC validates the access point and sends an LWAPP join response. An encryption key is derived, and future messages are encrypted.
www.CareerCert.info
Access Point Operations

Access point downloads firmware from the WLC if its code version does not match the WLC. WLC provisions access point with the SSID, security, QoS, and other parameters. WLC periodically queries access points for status. Access point periodically sends an LWAPP heartbeat (every 30 seconds): If heartbeat is not acknowledged, the access point resends. If heartbeat is not acknowledged in five attempts, access point looks for a new WLC.
DESGN v2.08-5
www.CareerCert.info
WLC Deployment Considerations

Mobility Radio management Redundancy and load balancing Scaling IP addressing
DESGN v2.08-6
www.CareerCert.info
Mobility Defined
Mobility is a key reason for wireless networks. Mobility means the end-user device is capable of moving to new location. Roaming occurs when a wireless client moves association from one access point and reassociates to another. Mobility presents new challenges: Need to scale the architecture to support client roaming roaming can occur intracontroller and intercontroller. Depending on the application, may need to support Layer 2 or Layer 3 roaming. Need to support client roaming that is seamless (fast) and preserves security.
DESGN v2.08-7
www.CareerCert.info
Intracontroller Roaming
Intracontroller roaming occurs when a client moves association to another access point joined to the same WLC. Client may need to be reauthenticated and new security session established. Controller updates client database entry with new access point and appropriate security context. No IP address refresh is needed.
DESGN v2.08-8
www.CareerCert.info
Intercontroller RoamingLayer 2
Traffic on same IP subnet Client database entry moved to new WLC Reauthenticated and new security session established as needed No IP address refresh needed
www.CareerCert.info
Intercontroller RoamingLayer 3
New WLC uses different subnet; client IP address does not change
Original WLC tagged as anchor Client database entry copied to new WLC, tagged as foreign Asymmetric traffic path
DESGN v2.08-10
www.CareerCert.info
Scaling the Architecture with Mobility Groups

Mobility groups allow controllers to peer with each other to support seamless roaming across controller boundaries, access point load balancing, and controller redundancy. Mobility messages are exchanged between controllers. Data is tunneled between controllers in Ethernet-in-IP (EtherIP). Each WLC in a mobility group is configured with a list of other members. Access points learn the IP addresses of the other members of the mobility group after the LWAPP join process. Mobility groups support up to 24 controllers and 3600 access points. WLC should be placed in mobility groups when intercontroller roaming is possible and for controller redundancy.
www.CareerCert.info
Mobility Group Requirements

IP connectivity must exist between the management interfaces of all WLC devices. All WLCs must be configured with the same mobility group name. The mobility group name is case-sensitive. All WLCs must be configured to use the same virtual interface IP address. Each WLC is configured with the MAC address and IP address of all the other mobility group members. The WLCs exchange messages using UDP port 16666 (unencrypted) or UDP port 16667 (encrypted) .
DESGN v2.08-12
www.CareerCert.info
Supporting Roaming Recommended Practices

Minimize intercontroller roaming in your designs. Design the network for <= 10 ms RTT latency between controllers. Intercontroller Layer 2 roaming is more efficient than Layer 3 roaming. Use PKC or CCKM to speed up and secure roaming. Client roaming capabilities vary by vendor, driver, and supplicant. Look for Cisco Compatible Extensions v4 feature set.
DESGN v2.08-13
www.CareerCert.info
Controller Redundancy Design

Access point selects its WLC with this sequence:
[Deterministic] If an access point has been previously configured with a primary, secondary, or tertiary controller, the access point attempts to join these first (specified by controller sysName). [Initializing] The access point attempts to join a WLC configured as a master controller. [Dynamic] The access point attempts to join the WLC with the greatest availability for access point associations.
DESGN v2.08-14
www.CareerCert.info
Deterministic Controller Redundancy

Administrator statically assigns each access point a primary, secondary, or tertiary controller. Advantages include: Predictability (easier operational management) More network stability More flexible and powerful redundancy design options Faster failover times Fallback option in the case of failover Disadvantages include: More upfront planning and configuration Recommended leading practice is to use deterministic redundancy.
www.CareerCert.info
Example: Deterministic Controller Redundancy
DESGN v2.08-16
www.CareerCert.info
Dynamic Controller Redundancy

Design relies on LWAPP to load-balance access points across controllers and populate access points with backup WLC information. Design works better when controllers are clustered in a centralized design. Advantages include: Easy to deploy and configure Access points dynamically load-balance Disadvantages include: More intercontroller roaming Bigger operational challenges due to unpredictability Longer failover times No fallback option in the event of controller failure Recommended practice is not to use dynamic redundancy.
www.CareerCert.info
Example: Dynamic Redundancy
DESGN v2.08-18
www.CareerCert.info
Deterministic Redundancy Designs: N+1
DESGN v2.08-19
www.CareerCert.info
Deterministic Redundancy Designs: N+N
DESGN v2.08-20
www.CareerCert.info
Deterministic Redundancy Designs: N+N+1
DESGN v2.08-21
www.CareerCert.info
Radio Resource Management

Key RF challenges with 802.11: Limited nonoverlapping channels Physical characteristics of RF propagation Contention for the medium Transient nature of RF environments RRM addresses these challenges: Continuous analysis of RF environment Dynamic channel assignment Interference detection and avoidance Dynamic transmit power control Coverage hole detection and correction Client and network load balancing
www.CareerCert.info
RF Grouping
1. Access points send and receive neighbor messages.
DESGN v2.08-23
www.CareerCert.info
RF Grouping
2. If access points on different WLCs hear neighbor messages in the same RF group at -80 dBm or stronger, they pass information to their WLC.
DESGN v2.08-24
www.CareerCert.info
RF Grouping
3. Controllers elect an RF group leader that analyzes RF data.
2. If access points on different WLCs hear neighbor messages in the same RF group at -80 dBm or stronger, they pass information to their WLC.
DESGN v2.08-25
www.CareerCert.info
Access Point Self-Healing

Access points receive neighbor messages from neighbor access points. Access points report a lost neighbor when they no longer receive neighbor messages at 65 dBm. RRM is used to increase power on access points near the lost access point. RRM can also adjust channel selection if needed.
DESGN v2.08-26
www.CareerCert.info
Summary
A lightweight access point uses an LWAPP discovery and join process to connect to a WLC. Lightweight access points operate by communicating with a WLC. The Cisco Unified Wireless Network provides a high quality transparent roaming experience for clients supporting both intracontroller and intercontroller roaming. It is recommended using that you use deterministic controller redundancy over dynamic controller redundancy. RRM using RF groups is a foundation of the Cisco Unified Wireless Network architecture.
DESGN v2.08-27
www.CareerCert.info
DESGN v2.08-28
www.CareerCert.info
Designing Wireless Networks with Controllers
DESGN v2.08-1
www.CareerCert.info
Reasons for an RF Site Survey

Defines RF characteristics in the environment: Discover RF coverage areas. Check for RF interference and issues. Provide RF spectrum analysis. Determine appropriate placement of wireless infrastructure devices. Helps define customer requirements
DESGN v2.08-2
www.CareerCert.info
RF Site Survey Process

1. Define customer requirements. 2. Identify coverage areas and user density. 3. Determine preliminary access point locations. 4. Perform the actual surveying. 5. Document the findings.
DESGN v2.08-3
www.CareerCert.info
RF Site Survey Customer Requirements

What type and number of wireless devices need to be supported? Is there current WLAN or RF equipment in place? Will the WLAN be used only for data? Will wireless phones be supported in the future? Are there peak periods to support? Will users be stationary or on the move while using the WLAN? Where should wireless coverage support be provided? What level of support should be provided?
DESGN v2.08-4
www.CareerCert.info
RF Site Survey Identifying Coverage Areas

File Room or Supply Room: Large Filing or Metal Cabinets Elevator Office Shafts Test Lab
Break Room: Microwave Ovens
Conference
Cubicles
Stairwells (Reinforced Building Area)

DESGN v2.08-5
www.CareerCert.info
Determining Preliminary Access Point Locations

Default Access Point Placement
DESGN v2.08-6
www.CareerCert.info
Visualizing RF Coverage
DESGN v2.08-7
www.CareerCert.info
Performing the Site Survey

Use tools and processes to determine coverage: Estimate the access point needed using planning. Measure attenuation at the corner and edge of coverage areas. Determine the coverage range. Build the WLAN coverage. Identify coverage holes.
www.CareerCert.info
Site Survey Report

All information gathered and developed during the site survey should be included in the report:
Detail customer requirements. Describe and diagram access point coverage. Be very specific when describing equipment placement locations. Mark areas that are covered as well as those not needing coverage. Parts list should include: Access points Antennas Accessories and network components Discuss the tools that were used and survey methods.
www.CareerCert.info
Supporting Guest Access
DESGN v2.08-10
www.CareerCert.info
Path Isolation with Ethernet in IP Tunnel

Use of EtherIP tunnels to logically segment and transport the guest traffic between edge and anchor controllers Other traffic (employee for example) still locally bridged on the corresponding VLAN No need to define the guest VLANs on the switches connected to the edge controllers Original Ethernet frame from guest maintained across LWAPP and EtherIP tunnels EtherIP supported across all WLAN controllers 2006 WLC cannot anchor EtherIP connections.
DESGN v2.08-11
www.CareerCert.info
Outdoor Wireless Deployment Options
DESGN v2.08-12
www.CareerCert.info
Outdoor Wireless Mesh Solution Components
Cisco Wireless Control System

Wireless mesh management system Enables networkwide policy configuration and device management Supports SNMP and syslog
Cisco Wireless LAN Controller

Links the wireless mesh access points to the wired network Handles RF algorithms and optimization Seamless Layer 3 Mobility Provides security and mobility management
Rooftop Access Point

Serves as root or gateway access point to the wired network Typically located on rooftops or towers Connects up to 32 pole-top mesh access points using 802.11a
Mesh Access Point

Provides 802.11b/g client access Connects to root access points via 802.11a Takes AC or DC power; PoE capable Ethernet port for connecting peripheral devices
DESGN v2.08-13
www.CareerCert.info
Example: MAP-to-RAP Connectivity in a Square Mile
DESGN v2.08-14
www.CareerCert.info
Mesh Design Recommendations
Hops Throughput
One ~10 Mbps
Two ~5 Mbps
Three ~3 Mbps
Four Up to 1 Mbps*
Latency < 10 ms per hop, 13 ms is typical Hops Outdoor: Code supports up to eight hops; four or fewer hops are recommended. Indoor: One hop is supported. Nodes per RAP One RAP supports up to 32 MAPs; 20 nodes are recommended.
www.CareerCert.info
Common Wireless Design Questions

How many access points are needed? Where will the access points be placed? How will the access points receive power? How many WLCs are needed? Where should the WLCs be placed?
DESGN v2.08-16
www.CareerCert.info
LWAPP Access Point Feature Summary
10x0 Models
1121 AG Models
1130 AG Series
1230 AG Series
1240 AG Series
1300 Series Both (LWAPP in AP mode) Yes Yes No No (only g) N/A 16 8
1500 Series
Autonomous/LWAPP/both
LWAPP
Both
Both
Both
Both
LWAPP
External antenna Outdoor install REAP or H-REAP support Dual radio Power (watts) Memory (Mb) WLANs per radio supported
Yes No REAP Yes 13 16 18
No No No No (only g) 6 16 8
No No H-REAP Yes 15 32 8
Yes No No Yes 14 16 8
Yes No H-REAP Yes 15 32 8
Yes Yes Yes Yes N/A 16 16
DESGN v2.08-17
www.CareerCert.info
WLAN Controllers and Access Point Support

Part Number (Platform) AIR-WLC2006-K9 (Cisco Wireless LAN Controller appliance) NM-AIR-WLC6-K9 (Cisco Wireless LAN Controller Module for ISRs) WS-C3750G-24WS-S25 (Cisco Catalyst 3750G Integrated Wireless LAN Controller) WS-C3750G-24WS-S50 (Cisco Catalyst 3750G Integrated Wireless LAN Controller) AIR-WLC4402-12-K9 (Cisco Wireless LAN Controller appliance) AIR-WLC4402-25-K9 (Cisco Wireless LAN Controller appliance) AIR-WLC4402-50-K9 (Cisco Wireless LAN Controller appliance) AIR-WLC4402-100-K9 (Cisco Wireless LAN Controller appliance) Cisco Catalyst 6500 Series Wireless Services Module
No. of Access Points Supported 6 6 25 50 12 25 50 100 Up to 300

DESGN v2.08-18
www.CareerCert.info
Controller Placement Design

Minimize intercontroller roaming. Implement deterministic redundancy. Centralized design supports the integrated platforms. Cisco Catalyst 3750G Integrated Wireless LAN Controller for small-to-medium deployments Cisco WiSM for medium-to-large deployments Distributed designs may work well with existing networks. General recommendation is to use a centralized design, but decide based on: Current network and policies Growth plans
DESGN v2.08-19
www.CareerCert.info
Example: Distributed WLC Design
DESGN v2.08-20
www.CareerCert.info
Example: Centralized WLC Design
DESGN v2.08-21
www.CareerCert.info
Campus WLC Options

Stand-alone appliance controller
Routed network on another platform 802.1Q trunk to switched or routed network
Integrated controller
Routed network can exist on the same platform. Layer 2 connection is internal. Layer 2 or 3 connection to routed network can be used.
DESGN v2.08-22
www.CareerCert.info
Branch Wireless Network Design Considerations

Number of access points needed at the branch Availability of switch ports Availability of power Controller cost WAN bandwidth constraints Latency between the access point and the WLC should not exceed 200 ms RTT. For centralized controllers, use REAP or Hybrid REAP access points.
DESGN v2.08-23
www.CareerCert.info
Local MAC
Access point MAC functions:

802.11: Beacons, probe response 802.11 control: Packet acknowledgment and transmission 802.11e: Frame queuing and packet prioritization 802.11i: MAC layer data encryption and decryption 802.11 MAC management: Association requests and actions
Controller MAC functions:

802.11 proxy association requests and actions 802.11e resource reservation 802.11i authentication and key management
DESGN v2.08-24
www.CareerCert.info
Remote Edge Access Point

Lightweight access point designed to be controlled across WAN links: REAP is designed to support remote offices by extending LWAPP control timers. Control traffic is still LWAPP encapsulated and sent to Cisco Wireless LAN Controller. Client data is not LWAPP-encapsulated but is locally bridged. All management control and RF management is available when the WAN link is up and connectivity is available to the Cisco Wireless LAN Controller. It will continue to provide local connectivity even if the WAN is down.
DESGN v2.08-25
www.CareerCert.info
REAP Limitations
REAP devices do not support 802.1Q trunking. All WLANs terminate on a single subnet. If connectivity to the WLC is lost, only WLAN1 is supported. Multiple WLANs are not recommend on REAP devices. REAP devices support only Layer 2 security policies. REAP devices and clients require a routable IP address provided locally and do not support NAT.
DESGN v2.08-26
www.CareerCert.info
Hybrid REAP
H-REAP is a solution for small or branch offices and retail on the LWAPP Cisco IOS platforms H-REAP supports simultaneous tunneling and local bridging.
Local switching supports bridging traffic onto local VLANs. Central switching supports tunneling traffic to the controller.
H-REAP provides more security options for the remote site:

Stand-alone mode does client authentication by itself. (WPA-PSK, WPA-PSK2) Connected mode uses the controller to complete client authentication. (WPA-PSK, WPA-PSK2, VPNs, L2TP, EAP, and web auth)
Round-trip latency must not exceed 200 ms between the access point and the controller. H-REAP supports NAT and PAT.
DESGN v2.08-27
www.CareerCert.info
Example: H-REAP Deployment
DESGN v2.08-28
www.CareerCert.info
Branch Office WLC Options

Appliance controllers
Cisco 2006Support for up to six access points Cisco 4402-12, 4402-24
Integrated controller
Cisco Wireless LAN Controller Module for ISR Cisco Catalyst 3750 Series Integrated WLAN Controller (support for 25, 50 access points)
DESGN v2.08-29
www.CareerCert.info
Summary
An RF site survey is used to determine the RF characteristics of a wireless network and help determine access point placement. Guest services are easily supported using EtherIP tunnels in the Cisco Unified Wireless Network. Outdoor wireless networks are supported using outdoor access points and Cisco Wireless Mesh Networking access points. Campus wireless network design provides RF coverage for wireless clients in the campus using lightweight access points. The access points are managed to Cisco Wireless LAN Controllers. Branch wireless network design is provides RF coverage for wireless clients in the branch. Central management of REAP or H-REAP access points can be supported.
DESGN v2.08-30
www.CareerCert.info
DESGN v2.08-31
www.CareerCert.info
Wireless Networking Review

Define the wireless requirements. Conduct an RF site survey to define the RF characteristics in the environment. Define access point deployment locations based on the site survey and customer requirements. Determine the WLC design: Redundancy (primary, secondary, tertiary) Placement of WLCs in distribution layer Whether remote sites will use local centralized controllers Determine the number of mobility groups that you will need. Plan how to support internal VLANs and guest access if needed.
DESGN v2.08-1
www.CareerCert.info
Cisco Unified Wireless Network Review
DESGN v2.08-2
www.CareerCert.info
Module Summary
Cisco Unified Wireless Network architecture centralizes WLAN configuration and control on WLCs that control LWAPP access points. The Cisco Unified Wireless Network provides transparent roaming supporting both intracontroller and intercontroller roaming. Deterministic controller redundancy with integrated RRM provides the highest-quality roaming experience. An RF survey in a wireless network design determines the characteristics of the wireless network and access point placement to provide optimal RF coverage for wireless clients.
DESGN v2.08-3
www.CareerCert.info
DESGN v2.08-4
www.CareerCert.info
DESGN v2.09-1
www.CareerCert.info
Reviewing Design and Implementation Resources
DESGN v2.09-1
www.CareerCert.info
Solution Reference Network Design Guides

Focus on the specific solution Provide an overview of relevant technologies Give a description of the architecture Offer recommended design practices Provide configuration examples Are available for the following areas: Campus Data center Branch office Teleworker WAN and MAN Security Unified communications Wireless
DESGN v2.09-2
www.CareerCert.info
Cisco Networkers Online Subscription

200+ technical training sessions, including:
Application Optimization Technologies Contact Center Technologies Data Center Technologies Network Access and Aggregation Technologies Network Management Services Technologies Optical and Metro Ethernet Technologies Routing and Switching Technologies Security Technologies Storage Technologies Voice and Video Technologies
www.networkersonline.net
www.CareerCert.info
Summary of Cisco CCNP Courses

Building Cisco Multilayer Switched Networks (BCMSN) Recommended prerequisite for Designing for Cisco Internetwork Solutions Building Scalable Cisco Internetworks (BSCI) Implementing Secure Converged Wide Area Networks (ISCW) Optimizing Converged Cisco Networks (ONT)
DESGN v2.09-4
www.CareerCert.info
Building Cisco Multilayer Switched Networks v3.0

Use the Cisco hierarchical network model for campus networks Define VLANs to segment network traffic and use Implement spanning-tree operation Implement and verify inter-VLAN routing Implement high-availability technologies and techniques Describe and configure wireless LAN access Describe and implement security features Describe and configure switch to support voice
Covers skills required to build enterprise-class switched networks with integrated VoIP and wireless applications
DESGN v2.09-5
www.CareerCert.info
Building Cisco Multilayer Switched Networks v3.0 Course Flow

Day 1
Course Introduction
Day 2
Day 3
Day 4
Day 5
Configuring Campus Switches for Voice Minimizing Service Loss
A M
Network Requirements Defining VLANS
Implementing Spanning Tree
Inter-VLAN Routing
Wireless LAN
Lunch
Defining VLANS Implementing Spanning Tree Implementing High Availability Implementing Spanning Tree Inter-VLAN Routing Wireless LAN Minimizing Service Loss
P M
DESGN v2.09-6
www.CareerCert.info
Building Scalable Cisco Internetworks v3.0

Explain routing in the enterprise network Implement and verify EIGRP operations Build a scalable multiarea network with OSPF Configure integrated IS-IS in a single area Implement Cisco IOS routing features Implement and verify BGP for enterprise ISP connectivity Implement and verify multicast forwarding using PIM Implement IPv6 in an enterprise network
Covers skills required to build enterprise router networks with mixed, integrated internal and external routing protocols
DESGN v2.09-7
www.CareerCert.info
Building Scalable Cisco Internetworks v3.0 Course Flow

Day 1
Course Introduction
Day 2
Day 3
Configuring IS-IS Protocol
Day 4
Day 5
Implementing Multicast
A M
Network Requirements Configuring EIGRP
Configuring OSPF Manipulating Routing Updates
Implementing BGP Implementing IPv6
Lunch
Configuring EIGRP Configuring OSPF Manipulating Routing Updates Implementing BGP Implementing IPv6 Configuring OSPF Configuring IS-IS Protocol Implementing BGP Implementing Multicast
P M
DESGN v2.09-8
www.CareerCert.info
Implementing Secure Converged Wide Area Networks v1.0

Explain the Cisco hierarchical network model as it pertains to the WAN Describe and implement teleworker configuration and access Implement and verify frame mode MPLS Describe and configure a siteto-site IPsec VPN Covers skills for securing and expanding the reach of the enterprise network to teleworkers and remote sites. The focus is on securing remote access and VPN client configuration.
Describe and configure Cisco Easy VPN Explain the strategies used to mitigate network attacks Describe and configure Cisco device hardening Describe and configure Cisco IOS firewall features
www.CareerCert.info
Implementing Secure Converged Wide Area Networks v1.0 Course Flow

Day 1
Course Introduction
Day 2
Implementing Frame Mode MPLS Lab: 3-1
Day 3
IPsec VPNs Lab: 4-2
Day 4
Cisco Device Hardening Lab: 5-1
Day 5
Cisco IOS Threat Defense Features Lab: 6-1 Cisco IOS Threat Defense Features
A M
Network Requirements Connecting Teleworkers
IPsec VPNs Implementing Frame Mode MPLS Lab: 4-3 Cisco Device Hardening
Lunch
Connecting Teleworkers IPsec VPNs IPsec VPNs Lab: 4-4 Cisco Device Hardening Lab: 5-2 Cisco Device Hardening Lab: 5-3 Lab: 6-2
P M
Simulation: 2-1 Implementing Frame Mode MPLS
Cisco IOS Threat Defense Features Lab: 6-3
Lab: 4-1
DESGN v2.09-10
www.CareerCert.info
Optimizing Converged Cisco Networks v1.0

Explain the Cisco hierarchical network model as it pertains to an end-to-end enterprise network Describe specific requirements for implementing a VoIP network Describe the need to implement QoS and the methods for implementing QoS on a converged network Explain the key IP QoS mechanisms used to implement the DiffServ QoS model Configure Auto QoS for Enterprise Describe and configure wireless security and basic wireless management
Covers techniques and skills to optimize QoS in converged networks supporting voice, wireless, and security applications
DESGN v2.09-11
www.CareerCert.info
Optimizing Converged Cisco Networks v1.0 Course Flow

Day 1
Course Introduction
Day 2
Day 3
Day 4
Day 5
Implement Wireless Implement the Implement the Scalability DIffServ QoS Model DIffServ QoS Model Introduction to IP QoS Lab: 4-1 Implement the DIffServ QoS Model Lab: 4-2 Lab: 4-6 Lab: 6-1
A M
Describing Network Requirements Describe Cisco VoIP Implementations
Implement the DIffServ QoS Model
Lab: 6-2
Lunch
Lab: 2-1 Case Study: 3-1 Implement the DIffServ QoS Model Lab: 4-3 Lab: 5-1 Lab: 6-3 Implement Wireless Scalability Lab: 6-4
P M
Describe Cisco VoIP Implementations Lab: 2-2
Lab: 3-2
Implement the DIffServ QoS Model Lab: 4-4
Lab: 5-2
Implement the DIffServ QoS Model
Lab: 4-5
Lab: 5-3
DESGN v2.09-12
www.CareerCert.info
Designing Cisco Network Service Architectures (ARCH) v1.2

Presents the Cisco AVVID framework Create intermediate network designs for: Enterprise campus infrastructure Enterprise edge infrastructure Network management High availability Security QoS IP multicast VPNs Wireless IP telephony This is the next course in the design certification track.
www.CareerCert.info
Designing Cisco Network Service Architectures v1.2 Course Flow

Day 1
Course Introduction
Day 2
Day 3
Day 4
Designing QoS
Day 5
A M
Introducing Cisco Network Service Architectures Designing Enterprise Campus Networks
Designing Enterprise Edge Connectivity
Designing High-Availability Services
Designing IP Multicast Services
Designing IP Telephony Services
Lunch
Designing Enterprise Edge Connectivity Designing Network Management Services Designing VNPs Designing Security Services Wrap-Up Designing Enterprise Wireless Networks
P M
Designing Enterprise Campus Networks
DESGN v2.09-14
www.CareerCert.info
Foundation Courses for Channel Partners

Foundation Express for Account Managers (FXS) Foundation Express for System Engineers (CFXSE) Foundation Express for Field Engineers (CFXFE)
DESGN v2.09-15
www.CareerCert.info
Security Courses
Securing Cisco Network Devices (SND) Securing Networks with Cisco Routers and Switches (SNRS) Implementing Cisco Intrusion Prevention System (IPS) Securing Networks with PIX and ASA (SNPA) Cisco Secure Virtual Private Networks (CSVPN)
DESGN v2.09-16
www.CareerCert.info
Voice Courses
Implementing Cisco Quality of Service (QOS) Cisco Voice over IP Fundamentals (CVF) Cisco Voice over IP (CVOICE) Cisco IP Telephony Part 1 (CIPT1) Cisco IP Telephony Part 2 (CIPT2) IP Telephony Troubleshooting (IPTT) Implementing Cisco Voice Gateways and Gatekeepers (GWGK) IP Telephony Design (IPTD)
DESGN v2.09-17
www.CareerCert.info
Wireless Courses
Aironet Wireless LAN Fundamentals and Site Survey (AWFSS) Aironet Wireless LAN Advanced Topics (AWLAT) Cisco Wireless LAN Fundamentals (CWLF) Cisco Wireless LAN Advanced Topics (CWLAT) Cisco Unified Wireless Networking (CUWN) Cisco Wireless Mesh Networking (CWMN)
DESGN v2.09-18
www.CareerCert.info
Summary
SRND guides provide deployment scenarios incorporating Cisco products and technologies into a tested architecture. Cisco Networkers Online provides introductory to advanced training sessions on a subscription basis. The Building Scalable Cisco Internetworks, Implementing Secure Converged Wide Area Networks and Optimizing Converged Cisco Networks courses provide additional theory and detailed configuration information that supports enterprise network design and implementations. Designing Cisco Network Service Architectures is the next course in the design certification track. Cisco specialization courses provide in-depth, hands-on training supporting security, voice, and wireless.
DESGN v2.09-19
www.CareerCert.info
DESGN v2.09-20

Ccda Desgn v2.0 SG PPT To PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ccda Desgn v2.0 SG PPT To PDF

Uploaded by

Copyright:

Available Formats

www.CareerCert.

Designing for Cisco Internetwork Solutions (DESGN) v2.0

2007 Cisco Systems, Inc. All rights reserved.

Designing for Cisco Internetwork Solutions v2.0

2007 Cisco Systems, Inc. All rights reserved.

Learner Skills and Knowledge

2007 Cisco Systems, Inc. All rights reserved.

Designing for Cisco Internetwork Solutions v2.0

2007 Cisco Systems, Inc. All rights reserved.

Applying a Methodology to Network Design

Designing Basic Campus and Data Center Networks

Designing IP Addressing and Selecting Routing Protocols

Identifying Voice Networking Considerations

Final Case Study

Structuring and Modularizing the Network

Designing Remote Connectivity

2007 Cisco Systems, Inc. All rights reserved.

Cisco Icons and Symbols

2007 Cisco Systems, Inc. All rights reserved.

Cisco Icons and Symbols (Cont.)

2007 Cisco Systems, Inc. All rights reserved.

2007 Cisco Systems, Inc. All rights reserved.

Cisco Career Certifications

Recommended Training Through Cisco Learning Partners

Interconnecting Cisco Network Devices Introduction to Cisco Network Technologies

2007 Cisco Systems, Inc. All rights reserved.

2007 Cisco Systems, Inc. All rights reserved.

Applying a Methodology to Network Design

Designing for Cisco Internetwork Solutions (DESGN) v2.0

2007 Cisco Systems, Inc. All rights reserved.

Applying a Methodology to Network Design

Introducing the Cisco Service-Oriented Network Architecture

2007 Cisco Systems, Inc. All rights reserved.

Business-toASP Business Links

Load Balancing Extranet

2007 Cisco Systems, Inc. All rights reserved.

IT Evolution From Connectivity to Intelligent Systems

2007 Cisco Systems, Inc. All rights reserved.

New Business Requirements

2007 Cisco Systems, Inc. All rights reserved.

Intelligence in the Network

2007 Cisco Systems, Inc. All rights reserved.

Cisco Service-Oriented Network Architecture Framework

2007 Cisco Systems, Inc. All rights reserved.

Cisco SONA Layers

2007 Cisco Systems, Inc. All rights reserved.

Overview of Cisco SONA Offerings

2007 Cisco Systems, Inc. All rights reserved.

2007 Cisco Systems, Inc. All rights reserved.

2007 Cisco Systems, Inc. All rights reserved.

Identifying Design Requirements

Applying a Methodology to Network Design

2007 Cisco Systems, Inc. All rights reserved.

PPDIOO Network Life-Cycle Approach

2007 Cisco Systems, Inc. All rights reserved.

Benefits of the Life-Cycle Approach

2007 Cisco Systems, Inc. All rights reserved.

Design Methodology Under PPDIOO

2007 Cisco Systems, Inc. All rights reserved.

Identifying Customer Requirements

2007 Cisco Systems, Inc. All rights reserved.

Identifying Planned Applications